A software company (e.g. a startup) develops an untethered PHR that is offered directly to the patient (consumer). The patient then authorizes PHR to "request" and "pull" (on behalf of patient) all records from all portals offered by healthcare provider EHRs (e.g. by Epic (MyChart), Cerner,...etc). The PHR gets access to all portals using logon credentials provided by the patient (e.g. patient provides all usernames and all passwords to all portals).
Is such untethered PHR covered by HIPAA? What federal laws must untethered PHR follow (e.g. which privacy and security laws)? If patient (consumer) cancels the account with untethered PHR, is PHR obligated to erase all data about the patient? Are there federal laws that prevent PHR from using de-identified data (stored within PHR) for secondary purposes?