Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 2063 Do individuals have a right under HIPAA to have a covered entity establish a direct connection between the covered entity’s system and the individual’s app or device in order to provide the individuals with access to their PHI?

This FAQ answers if individuals have a right undre HIPAA to have a covered entity establish a direct connection between the covered entity's system and the individual's app or device in order to provide the individuals with access to their PHI.

Final

Issued by: Office for Civil Rights (OCR)

Do individuals have a right under HIPAA to have a covered entity establish a direct connection between the covered entity’s system and the individual’s app or device in order to provide the individuals with access to their PHI?

Whether PHI is “readily producible” for purposes of providing access will depend on the extent to which establishing the connection is within the capabilities of the covered entity and would not present an unacceptable level of risk to the security of the PHI on a covered entity’s systems, based on the covered entity’s Security Rule risk analysis.

A covered entity may determine that it has the capability to establish the type of connection requested in a manner consistent with the applicable security measures implemented in accordance with its security management process. In that case, the covered entity must provide access in the manner requested by the individual. Further, we note that starting in 2018, under Stage 3 of the EHR Incentive Program, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) using Certified EHR Technology must enable application programming interface (API) functionality that would allow patients to use the application of their choice to access their data. In addition, we note that many provider systems are already using API functionality to provide patients with access to their data today in a secure manner. We expect that covered entities will assess and address any security considerations associated with connecting their systems with individual applications or devices, including through Certified EHR Technology (where applicable), as part of their HIPAA security management process.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.