Campaign: Developers and HIPAA

What is BAA to do with stored patient health info

The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patients, provide a patient portal, etc. - classic practice management tasks. The EHR vendor has a BAA with a company which hosts its web application and the encrypted database. My question is, what happens to the PHC's electronically stored ePHI if the PHC's account is cancelled and/or the EHR vendor has exhausted all confirmed methods of contact with the PHC (email, text). Is it possible to have Terms of Service which include destroying the PHC's stored patient data if the PHC is unreachable? Do other laws (ie. state laws about holding onto patient data for a certain number of years) apply to the EHR vendor and their web host company? The EHR vendor can't possibly be required to pay to store the PHC's patient data for 7-10 years or whatever, right?

Submitted by

Tags (If you have a multi-word tag, add a hyphen (-) between the words.)

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor)

What is your organization? : EHR vendor

Voting

1 vote
1 up votes
0 down votes
Question No. 58