Identify Developer Issues


We are experiencing an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes. Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected. Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security and Breach Notification Rules.

Yet many mHealth developers are not familiar with the HIPAA Rules and how the rules would apply to their products. Use this site to help OCR understand what guidance on HIPAA regulations would be helpful to you. Please tell us: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? Use this page to submit your questions about HIPAA. Or present a use case. Look at what your peers are discussing, comment on it and vote on which topics or use cases would be the most helpful or important to your work.

OCR launched this platform for mobile health developers and others interested in the intersection of health information technology and HIPAA privacy and security protections. Anyone may browse the site. Users who want to submit questions, offer comments on other submissions or vote on the relevancy of the topic can register using their email addresses, but their identities and addresses are anonymous to OCR. Posting or commenting on a question on this site will not subject anyone to enforcement action. We will be moderating submissions for appropriateness but we cannot vouch for the accuracy of their representations. We cannot respond individually to questions, although we will try to post links to existing relevant resources when we can. OCR appreciates your input and will consider your comments as we develop our priorities for additional guidance and technical assistance. We value your continued engagement on these important issues. Please consider adding our widget to your website or blog.

Submit Questions

Developers and HIPAA

Text messaging and HIPAA

There is currently a lack of clarity about whether patient consent to communicate via (unencrypted) SMS is adequate to protect covered entities from HIPAA concerns. HHS (and medical research) has released data supported use of non-encrypted SMS, given its high accessibility to patients and its efficacy in achieving behavior change (e.g. medication compliance, smoking cessation). Many covered entitites feel that this ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor) General Public Health plans or health care providers Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan Not for profit Developer working on homegrown apps within a health care setting

Voting

8 votes
8 up votes
0 down votes

Developers and HIPAA

Can HIPAA address patient generated data?

Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

6 votes
6 up votes
0 down votes
Answered Questions

Developers and HIPAA

Audits

With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor) Other General Public Patients/Individuals/Consumers

What is your organization? : Small company Trade association

Voting

5 votes
6 up votes
1 down votes
Answered Questions

Developers and HIPAA

PHI request through SMS from provider

I understand there is some ambiguity regarding providers communicating PHI with patients, and I'm having some trouble interpreting how it applies to me. My provider developed software to engage patients via unencrypted SMS. My provider's medical practitioners will determine a patient is in need of monitoring and will develop or reuse a workflows to regularly request defined PHI from patients--such as diastolic and systolic ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan Not for profit

Voting

5 votes
5 up votes
0 down votes

Developers and HIPAA

Help with business associate agreements

There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics developers care about, such as cloud storage & PGHD, and a lack of bargaining power on the part of startups. This has led to many challenges for the industry, resulting in high legal fees which may be a barrier to entry for many companies. HHS should issue sample BAA language around ...more »

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

5 votes
5 up votes
0 down votes
Answered Questions

Developers and HIPAA

What part of the environment has to be compliant?

Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use an API to store certain kinds of data? If you’re building modern technologies, you’re relying on a lot of third party (likely API) based services; mostly cloud based services. So which aspects of those need to be compliant?

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

5 votes
5 up votes
0 down votes
Answered Questions

Developers and HIPAA

does an online appointment scheduler need to abide by HIPAA?

I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Software developer not specific to health care

Voting

4 votes
4 up votes
0 down votes
Answered Questions

Developers and HIPAA

De-identification of individuals' information

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Attorney/other compliance consultant

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Developers and HIPAA

HIPAA Training

Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their employees receive meets the standards expected by OCR. Similar to the practices of OSHA, can OCR provide a standardized training program on key HIPAA issues?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor) Other General Public Patients/Individuals/Consumers

What is your organization? : Small company Trade association

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Developers and HIPAA

Risk Assessment Tool

Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are unable to use the current security risk assessment tool because they believe it is needlessly cumbersome, redundant, and designed for Covered Entities. Do you recommend that Business Associates start to use private tools instead of the current tool for risk assessments? If so, ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor) Other General Public Patients/Individuals/Consumers

What is your organization? : Small company Trade association

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Developers and HIPAA

Sale of Data Collected by a Consumer Targeted App

We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-identify the information the app collects to sell to third parties. Do we follow the same HIPAA de-identification processes that a covered entity or business associate would follow?

Submitted by

Who are your customers? Check all that apply : General Public Patients/Individuals/Consumers

What is your organization? : Small company Software developer not specific to health care

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Developers and HIPAA

EHR software partners uses third party API

Our EHR solution is partnering with another health related software company with a cloud based API product to provide additional solutions for providers. This is a seamless connection. Some PHI would be stored on the API cloud based system while our EHR would also store PHI either on the client server or the cloud. I have several questions. I am assuming that the business associate between our clients/providers ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Your products send, receive, and/or view data/information to/from an EHR or related platform EHR vendor Cloud service provider

Voting

3 votes
3 up votes
0 down votes

Developers and HIPAA

HIPAA Compliant Forms

I am in the process of working with a hospital that is using a marketing software product to integrate forms into a new website project. We have recently got into the discussion regarding HIPAA compliance. It turns out the product's forms are not HIPAA compliant. With that being said the information being captured by these forms on the site are not intended to be capturing medical information. The purpose of these forms ...more »

Submitted by

Who are your customers? Check all that apply : General Public Patients/Individuals/Consumers

What is your organization? : Small company

Voting

3 votes
3 up votes
0 down votes

Developers and HIPAA

HIPAA E-Signature Requirements

We are a small organization starting up a tele-health initiative. We would like to deliver a copy of our Notice of Privacy Practices electronically and have patients acknowledge receipt via check box prior to completing our online intake forms. This method is used for acceptance when one downloads software online. We are having a difficult time understanding the requirements for this. Can it be a check box and/or typed ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan Small company Not for profit

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Displaying 1 - 15 of 37 Questions