Campaign: Developers and HIPAA

Data Masking in EMR

Data masking or controlled access provides a means for patients to control disclosure of select information within the EHR. http://www.nature.com/gim/journal/v10/n7/pdf/gim200876a.pdf Can patients request that access to sensitive data be controlled? Can patients request that only certain people can access their PHI? Can they request an audit of how their data has been shared by a covered entity? If so, do (or should) ...more »

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Consumer advocacy organization

Voting

0 votes
0 up votes
0 down votes

Campaign: Developers and HIPAA

Which video chat apps are HIPAA-compliant?

Is Skype or any other video chat app HIPAA-compliant? Which video chat apps can currently be used for telehealth treatment activities involving general physicians or involving mental health professionals?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Are We a Covered Entity?

A business associate provides no medical advice, medical services, medical devices, etc. But it talks to patients of the covered entity. Those patients tell the business associate what prescriptions they have for prescription drugs and when they must be refilled. The business associate faxes the refill request to the pharmacy. Does that make the business associate a covered entity?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Unencrypted PHI in the Cloud

From Kevin Wiggins, Saul Ewing: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some data remanence, thus leaving PHI on the Cloud. NIST Special Publication 800-80 addresses this by suggesting CEs use crypto-erase. What if the CE previously sent unencrypted PHI to the Cloud? Is it as simple as extending the protections of the contract to the information and ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Provider suggested use of an App - there is a breach

A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness provider suggest to a patient that they use an app (the app was not developed for them and there has been no communication with the app company that the providers are going to use the app) to gather health data to share with them and the app company suffers a breach of information. ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other

What is your organization? : Trade association

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

BA Contracts between 2 BAs providing services to CE

Is a BA Contract required between a BA providing PHI to another BA of a CE? (for example, a CE requests their EHR vendor to send PHI to a data analytics firm OR a CE requests a data analytics firm to send PHI to another vendor doing work on the CE's behalf)?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Small company, For profit, Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Are we HIPAA compliant distributed team.

We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc. Is it a requirement that we purchase and make all of our employees use only their work computers for development and access to our db? It's understood that we need a robust password policies and defined lists of who has access to any sensitive data where ever they may be.

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Developer of Mhealth apps (not mobile medical apps)

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Cellular Voice HIPAA Compliant

I'm wondering if Verizon Home Phone connect with a analog phone hooked up to is violates HIPAA in any way. I'm more concerned about cellular technology VS POTS. There is no data transmission only voice.

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Government

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

BAAs with Vendors and Providers

If a company has a business associate agreement (BAA) with an electronic medical record (EMR) vendor, does that company also have to sign a BAA with each health care provider or provider group using that EMR in addition to their existing BAA with the vendor?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Unencrypted Text without PHI?

Can a provider, or business associate acting on behalf of a provider, send an unencrypted text or email to a patient if the initial message does not contain protected health information and the patient requested the communication? If so, can the patient give the provider consent to use a third-party mailing service, even if the provider (or business associate of the provider) does not have a business associate agreement ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

EHR Role-Based Controls

What kind of limitations on role-based access does an EHR have to provide in order to comply with the “minimum necessary” standard? For example, if an employee only needs demographic or scheduling information to fulfill their job, does the EHR have to include mechanisms to prevent that employee from accessing other clinical information, or is having audit capability (combined with staff training and written policies) ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Offshore development and customer support

Does HIPAA have any restrictions on offshore development and/or customer support functions if the parent company is based in U.S. and/or if the foreign entity is owned and/or controlled by an entity based in U.S.?

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Software developer not specific to health care

Voting

1 vote
1 up votes
0 down votes