Developers and HIPAA

Does HIPAA extend to untethered PHRs?

A software company (e.g. a startup) develops an untethered PHR that is offered directly to the patient (consumer). The patient then authorizes PHR to "request" and "pull" (on behalf of patient) all records from all portals offered by healthcare provider EHRs (e.g. by Epic (MyChart), Cerner,...etc). The PHR gets access to all portals using logon credentials provided by the patient (e.g. patient provides all usernames and all passwords to all portals).


Is such untethered PHR covered by HIPAA? What federal laws must untethered PHR follow (e.g. which privacy and security laws)? If patient (consumer) cancels the account with untethered PHR, is PHR obligated to erase all data about the patient? Are there federal laws that prevent PHR from using de-identified data (stored within PHR) for secondary purposes?

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Your products send, receive, and/or view data/information to/from an EHR or related platform


3 votes
3 up votes
0 down votes
Question No. 37