Skip to main content

OCR Warns of HIPAA Risks in Third-Party Apps

The U.S. Department of Health and Human Services Office for Civil Rights (OCR)  recently issued a warning regarding vulnerabilities in third-party applications used by entities covered by HIPAA.  The OCR warning applies generally to HIPAA Covered Entities and Business Associates.  While Covered Entities and Business Associates are more cognizant of vulnerabilities in operating systems (like Windows) and install updates and patches as needed (we hope), OCR reported that companies are less likely to do the same for third-party applications (like Adobe's Acrobat or others). To beef up security in these applications, OCR suggests that Covered Entities and Business Associates should:

  1. Test third-party applications for security vulnerabilities prior to installation and on a regular basis afterward.
  2. Install patches or updates to the software continuously.  "The majority of software developers disclose their security flaws to the public; however, attackers exploit these known vulnerabilities if HIPAA Covered Entities and Business Associates do not fix the security flaws in a timely manner," OCR notes.
  3. Carefully review end user license agreements to understand security risks in the applications.  OCR warns that this information should not be ignored.

According to a recent study released by the Ponemon Institute, healthcare organizations face about one cyberattack per month and are still struggling to find effective strategies to keep systems secure.

In other health-related privacy news, earlier this month, OCR announced the release of three YouTube videos and an infographic on individuals’ rights to access health information. In contrast to guidance on the same topic published earlier this year, these videos are specifically geared toward consumers in an effort to increase individuals’ understanding of their rights under HIPAA. Each video focuses on a specific topic: the basics of an individual’s access rights; the fees that may be charges for such access; and the rights of third parties to access an individual’s health information. The infographic also provides an overview of these rights.

OCR explained that consumers’ understanding of their basic access rights is important in helping patients take more control over their healthcare decisions. OCR also noted that individuals who access their health information are more equipped to follow treatment plans, discover errors in their medical records, and share their information for research purposes. Even though this new guidance was developed for consumers, OCR’s repeated recent dissemination of information on this issue demonstrates its dedication to individual access rights.  Healthcare entities must ensure that they have the proper policies, procedures, and training to comply.

Also see Mintz Levin's Health Law Policy Matters blog

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.