A covered entity provides test results to patients through a Patient Mobile App or a Website. Patients must request access and data is transmitted securely.
Once the patient has custody of the PHI (as a downloaded report on the website, or as received data on the mobile device, is the Covered Entity responsible if the patient loses their own data? Is it required, for example, that the Mobile App be password protected? What if unrelated malware on the patient's device or computer transmits the PHI?