Campaign: Developers and HIPAA

HIPAA E-Signature Requirements

We are a small organization starting up a tele-health initiative. We would like to deliver a copy of our Notice of Privacy Practices electronically and have patients acknowledge receipt via check box prior to completing our online intake forms. This method is used for acceptance when one downloads software online. We are having a difficult time understanding the requirements for this. Can it be a check box and/or typed ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Small company, Not for profit

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Provider suggested use of an App - there is a breach

A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness provider suggest to a patient that they use an app (the app was not developed for them and there has been no communication with the app company that the providers are going to use the app) to gather health data to share with them and the app company suffers a breach of information. ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other

What is your organization? : Trade association

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Unencrypted PHI in the Cloud

From Kevin Wiggins, Saul Ewing: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some data remanence, thus leaving PHI on the Cloud. NIST Special Publication 800-80 addresses this by suggesting CEs use crypto-erase. What if the CE previously sent unencrypted PHI to the Cloud? Is it as simple as extending the protections of the contract to the information and ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Sale of Data Collected by a Consumer Targeted App

We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-identify the information the app collects to sell to third parties. Do we follow the same HIPAA de-identification processes that a covered entity or business associate would follow?

Submitted by

Who are your customers? Check all that apply : General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Software developer not specific to health care

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Are We a Covered Entity?

A business associate provides no medical advice, medical services, medical devices, etc. But it talks to patients of the covered entity. Those patients tell the business associate what prescriptions they have for prescription drugs and when they must be refilled. The business associate faxes the refill request to the pharmacy. Does that make the business associate a covered entity?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Are Cloud Storage providers BAs?

Is a company that provides encrypted cloud storage for a covered entity a BA if it does not have the encryption key and has no ability to access the IIHI?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

2 votes
2 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Risk Assessment Tool

Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are unable to use the current security risk assessment tool because they believe it is needlessly cumbersome, redundant, and designed for Covered Entities. Do you recommend that Business Associates start to use private tools instead of the current tool for risk assessments? If so, ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

HIPAA Training

Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their employees receive meets the standards expected by OCR. Similar to the practices of OSHA, can OCR provide a standardized training program on key HIPAA issues?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Audits

With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

5 votes
6 up votes
1 down votes
Answered Questions

Campaign: Developers and HIPAA

does an online appointment scheduler need to abide by HIPAA?

I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Software developer not specific to health care

Voting

4 votes
4 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Developer and HIPAA

Assume you have a software company that will be using a smartphone application and related device to record and store arguably protected health information. 1. Assume the software company stores the information on its own servers. The company is not subject to HIPAA (privacy or security rules) because it isn't a covered entity or a business associate of a covered entity, correct? 2. Now assume that the software ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Attorney/other compliance consultant

Voting

2 votes
2 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

De-identification of individuals' information

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Attorney/other compliance consultant

Voting

3 votes
3 up votes
0 down votes
Answered Questions