HIPAA Qs Portal Notes

March 25, 2020: OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion

Today, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on telehealth remote communications following its Notification of Enforcement Discretion during the COVID-19 nationwide public health emergency.

The Notification, issued earlier this week, announced, effective immediately, that OCR is exercising its enforcement discretion to not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.

More information can be found here: https://www.hhs.gov/about/news/2020/03/20/ocr-issues-guidance-on-telehealth-remote-communications-following-its-notification-of-enforcement-discretion.html.


Dec 2, 2019: To users of the OCR HIPAA developer portal:


·       We want to pass on the FTC’s PrivacyCon 2020 call for presentations on the privacy of health data collected, stored, and transmitted by mobile applications (“apps”).  The FTC will host its fifth annual PrivacyCon on July 21, 2020. The deadline for submissions is April 10, 2020.


·       OCR has posted FAQs on Patient Access and APIs.  OCR released frequently asked questions about the Health Insurance Portability and Accountability Act (HIPAA) right of access related to apps designated by the individual and application programming interfaces (APIs) used by the provider’s electronic health record system. The FAQs clarify that once protected health information has been shared with a third-party app, as directed by the individual, the HIPAA covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic protected health information, provided the app developer is not itself a business associate of a covered entity or other business associate.

·       FAQs on APIs, as well as other FAQs on HIPAA and HIT. 

·       Press Release


Feb. 16, 2018: New Report: Key Privacy and Security Considerations for Healthcare Application Programming Interfaces (APIS)

Happy Friday of President's Day weekend. Looking for offline reading material? Take a look at the following resource, recently released by our colleagues in ONC. It provides considerations and tips for EHR developers and health care providers looking to implement APIs that enable individual access ( a HIPAA right) to their health information through apps. The report is entitled Key Privacy and Security Considerations for Healthcare Application Programming Interfaces (APIS).

NEW: Sync for Science (S4S) API Privacy and Security Report
This document describes key considerations for implementing and managing application programming interfaces (APIs) in healthcare with respect to the privacy and security of health information. These considerations were developed as a result of testing and assessing a volunteer subset of the implementations of the Sync for Science (S4S) API. Read the report.


Dec. 5: 2017: code-a-thon, patient-matching webinar, provider API education

Hello, digital health developers. We want to alert you to some interesting HHS projects. First, HHS is hosting an opioid code-a-thon tomorrow. Second, ONC will host a webinar addressing patient matching issues next week. Third, take a look at the new API education module for providers and patients.

NEW Tool: API Education Module
The 2015 Edition final rule includes several health IT certification criteria that support patient access to, and patient-directed transmission of, their health information, both of which can be built through the use of Application Programming Interfaces (APIs). ONC has created an interactive API Education Module to help providers and consumers learn how APIs work and how they can be used in helping improve that access to information. Check out the API Education Module.

Interoperability in Action Webinar

ONC has developed a variety of patient matching projects focused on improving data quality, achieving higher interoperability, and delivering safer healthcare. This webinar will provide an overview of the design and outcome of each of those projects, including lessons learned and best practices for patient data capture and record matching.