Campaign: Developers and HIPAA

Are we HIPAA compliant distributed team.

We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc. Is it a requirement that we purchase and make all of our employees use only their work computers for development and access to our db? It's understood that we need a robust password policies and defined lists of who has access to any sensitive data where ever they may be.

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Developer of Mhealth apps (not mobile medical apps)

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Scanning and Penetration Testing

Do entities need to run internal and external vulnerability scanning be HIPAA compliant? Do entities have to run penetration tests to ensure compliance? Reading ยง164.312(e)(2)(i) it seems that 'security measures' could include these tests, but does not specify a requirement for it. Additionally, a risk analysis could identify that these services would help to reduce the risk, threats and vulnerabilities in-scope systems, ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

Is a BAA required with SMS service

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit

Voting

3 votes
3 up votes
0 down votes

Campaign: Developers and HIPAA

Data Masking in EMR

Data masking or controlled access provides a means for patients to control disclosure of select information within the EHR. http://www.nature.com/gim/journal/v10/n7/pdf/gim200876a.pdf Can patients request that access to sensitive data be controlled? Can patients request that only certain people can access their PHI? Can they request an audit of how their data has been shared by a covered entity? If so, do (or should) ...more »

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Consumer advocacy organization

Voting

0 votes
0 up votes
0 down votes

Campaign: Developers and HIPAA

BA Contracts between 2 BAs providing services to CE

Is a BA Contract required between a BA providing PHI to another BA of a CE? (for example, a CE requests their EHR vendor to send PHI to a data analytics firm OR a CE requests a data analytics firm to send PHI to another vendor doing work on the CE's behalf)?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Small company, For profit, Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Chat requirements

Are there any specific requirements that we should keep in mind when putting together a solution to provide PHI to a customer via a chat channel? Would it even be feasible? Assuming customer is identified (previously registered or asked to provide dob or some personal information

 

Thanks

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Developer working on homegrown apps within a health care setting

Voting

3 votes
3 up votes
0 down votes

Campaign: Developers and HIPAA

PII and PHI

We make medical devices and sell to CEs through a independent sales team/resellers. Often times where there are some issues with software that runs on devices -- the reseller obtains the corresponding record from CE and uploads to our Customer Support portal. This ticket can contain medical health information. As a device manufacturer are we required to adhere to HIPAA? We may get a few hundred such tickets from different ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor)

What is your organization? : Other

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

Notifications

A NYS licensed facility providing addiction treatment services has been advised that when a patient has been referred for treatment by another entity (hospital, family agency, courts, etc.) notice that the patient has presented for treatment may not be given to the referring agency without the written permission of the patient. No other PHI would be provided other than the notification.

Is this true?

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit, Consumer advocacy organization

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

Does HIPAA extend to untethered PHRs?

A software company (e.g. a startup) develops an untethered PHR that is offered directly to the patient (consumer). The patient then authorizes PHR to "request" and "pull" (on behalf of patient) all records from all portals offered by healthcare provider EHRs (e.g. by Epic (MyChart), Cerner,...etc). The PHR gets access to all portals using logon credentials provided by the patient (e.g. patient provides all usernames and ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Your products send, receive, and/or view data/information to/from an EHR or related platform

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

Logging Activity within an Application

In order to be HIPAA compliant, should all activity that occurs with in an app be logged, or should activity that exceeds the normal threshold be logged? For instance, users that access information in the application routinely during the course of their work day will evince a regular level of activity. The activity will indicate routine access of sensitive information. Should the log contain all of the users activity, ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), General Public, Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Developer working on homegrown apps within a health care setting

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

PHI request through SMS from provider

I understand there is some ambiguity regarding providers communicating PHI with patients, and I'm having some trouble interpreting how it applies to me. My provider developed software to engage patients via unencrypted SMS. My provider's medical practitioners will determine a patient is in need of monitoring and will develop or reuse a workflows to regularly request defined PHI from patients--such as diastolic and systolic ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit

Voting

8 votes
8 up votes
0 down votes

Campaign: Developers and HIPAA

EHR software partners uses third party API

Our EHR solution is partnering with another health related software company with a cloud based API product to provide additional solutions for providers. This is a seamless connection. Some PHI would be stored on the API cloud based system while our EHR would also store PHI either on the client server or the cloud. I have several questions. I am assuming that the business associate between our clients/providers ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Your products send, receive, and/or view data/information to/from an EHR or related platform, EHR vendor, Cloud service provider

Voting

3 votes
3 up votes
0 down votes