Will educating patients about the privacy and security risks posed by third-party apps that the patient chooses be considered interference?
Will educating patients about the privacy and security risks posed by third-party apps that the patient chooses be considered interference?
It will not be considered an “interference” with the access, exchange, or use of EHI if:
- Foremost, the information provided by actors focuses on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
- Second, this information is factually accurate, unbiased, objective, and not unfair or deceptive; and
- Finally, the information is provided in a non-discriminatory manner.
For example, actors may establish processes where they notify a patient, call to a patient’s attention, or display in advance (as part of the app authorization process within certified API technology) whether the third-party developer of the app that the patient is about to authorize to receive their EHI has attested in the positive or negative as to whether the third party’s privacy policy and practices (including security practices) meet particular benchmarks. However, such processes must be non-discriminatory in that they must be used in the same manner for all third-party apps/developers.
The particular benchmarks an actor might identify in this example could be the minimum expectations described below, more stringent “best practice” expectations that may be set by the market, or some combination of minimum and “best practice” expectations.
As described in the Final Rule at 85 FR 25816, all third-party privacy policies and practices should, at a minimum, adhere to the following:
- The privacy policy is made publicly accessible at all times, including updated versions;
- The privacy policy is shared with all individuals that use the technology prior to the technology’s receipt of EHI from an actor;
- The privacy policy is written in plain language and in a manner calculated to inform the individual who uses the technology;
- The privacy policy includes a statement of whether and how the individual’s EHI may be accessed, exchanged, or used by any other person or other entity, including whether the individual’s EHI may be sold at any time (including in the future); and
- The privacy policy includes a requirement for express consent from the individual before the individual’s EHI is accessed, exchanged, or used, including receiving the individual’s express consent before the individual’s EHI is sold (other than disclosures required by law or disclosures necessary in connection with the sale of the application or a similar transaction).