What kind of limitations on role-based access does an EHR have to provide in order to comply with the “minimum necessary” standard? For example, if an employee only needs demographic or scheduling information to fulfill their job, does the EHR have to include mechanisms to prevent that employee from accessing other clinical information, or is having audit capability (combined with staff training and written policies) ...more »
We have a question regarding a vendor that claims that they don't need a BAA as they are a "conduit" and are exception. Is there someone at the OCR that could help us adjudicate this problem?
A software company (e.g. a startup) develops an untethered PHR that is offered directly to the patient (consumer). The patient then authorizes PHR to "request" and "pull" (on behalf of patient) all records from all portals offered by healthcare provider EHRs (e.g. by Epic (MyChart), Cerner,...etc). The PHR gets access to all portals using logon credentials provided by the patient (e.g. patient provides all usernames and ...more »
There is currently a lack of clarity about whether patient consent to communicate via (unencrypted) SMS is adequate to protect covered entities from HIPAA concerns. HHS (and medical research) has released data supported use of non-encrypted SMS, given its high accessibility to patients and its efficacy in achieving behavior change (e.g. medication compliance, smoking cessation). Many covered entitites feel that this ...more »
Is a BA Contract required between a BA providing PHI to another BA of a CE? (for example, a CE requests their EHR vendor to send PHI to a data analytics firm OR a CE requests a data analytics firm to send PHI to another vendor doing work on the CE's behalf)?
We have developed a platform to facilitate the scheduling of transport/rides for patients to provider appointments. The process works as follows. The provider logs into a secure site, to schedule a ride to an appointment for a patient. The platform, at the appropriate time, sends formation to a rider service provider (someone such as Lyft, Uber, etc..) to schedule the transport. The information provide the transport ...more »
Can a provider, or business associate acting on behalf of a provider, send an unencrypted text or email to a patient if the initial message does not contain protected health information and the patient requested the communication? If so, can the patient give the provider consent to use a third-party mailing service, even if the provider (or business associate of the provider) does not have a business associate agreement ...more »
I am a student creating an app for school project. I was wondering if I have to be HIPAA compliant. I am creating an app, where diabetics can store their glucose and calculate insulin dosage. None of the information will be sent to hospitals or physicians. How would HIPAA work in this case? Thank you ahead.
I'm wondering if Verizon Home Phone connect with a analog phone hooked up to is violates HIPAA in any way. I'm more concerned about cellular technology VS POTS. There is no data transmission only voice.
Certain pediatric tasks require fairly precise ages, for example when evaluating jaundice one must know a baby's age in hours. What precautions are required to ensure that a birthdate cannot be inferred by usage data from an app that automates some of these tasks? For example, if a nurse enters in that a baby is 8 hours old, it seems a birthdate could be identified if the time of the nurse/app interaction was known. ...more »
Is Skype or any other video chat app HIPAA-compliant? Which video chat apps can currently be used for telehealth treatment activities involving general physicians or involving mental health professionals?
Private Practice Physicians have the opportunity by contracting with a large health care entity to get into electronic health records EHR. In wanting to satisfy the continuum of care one practice can see any treatment provided by another provider for their patient. They can access diagnostics within the health care entities network. All good things! My concern, though users sign off on a confidentiality agreement ...more »