Campaign: Developers and HIPAA

Text messaging and HIPAA

There is currently a lack of clarity about whether patient consent to communicate via (unencrypted) SMS is adequate to protect covered entities from HIPAA concerns. HHS (and medical research) has released data supported use of non-encrypted SMS, given its high accessibility to patients and its efficacy in achieving behavior change (e.g. medication compliance, smoking cessation). Many covered entitites feel that this ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), General Public, Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit, Developer working on homegrown apps within a health care setting

Voting

19 votes
19 up votes
0 down votes

Campaign: Developers and HIPAA

PHI request through SMS from provider

I understand there is some ambiguity regarding providers communicating PHI with patients, and I'm having some trouble interpreting how it applies to me. My provider developed software to engage patients via unencrypted SMS. My provider's medical practitioners will determine a patient is in need of monitoring and will develop or reuse a workflows to regularly request defined PHI from patients--such as diastolic and systolic ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit

Voting

8 votes
8 up votes
0 down votes

Campaign: Developers and HIPAA

Can HIPAA address patient generated data?

Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

6 votes
6 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Help with business associate agreements

There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics developers care about, such as cloud storage & PGHD, and a lack of bargaining power on the part of startups. This has led to many challenges for the industry, resulting in high legal fees which may be a barrier to entry for many companies. HHS should issue sample BAA language around ...more »

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

5 votes
5 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

What part of the environment has to be compliant?

Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use an API to store certain kinds of data? If you’re building modern technologies, you’re relying on a lot of third party (likely API) based services; mostly cloud based services. So which aspects of those need to be compliant?

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

5 votes
5 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Are we a covered entity?

How can we determine if we’re a covered entity? The resources to make that determination are expensive – i.e. law firms

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

5 votes
5 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Audits

With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

5 votes
6 up votes
1 down votes
Answered Questions

Campaign: Developers and HIPAA

does an online appointment scheduler need to abide by HIPAA?

I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Software developer not specific to health care

Voting

4 votes
4 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

Cloud Security

What are the suggested encryption protocols that one should implement in order to fulfill the 164.312(a)(2)(iv)

 

Have you implemented a mechanism to encrypt and decrypt EPHI?

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Developer working on homegrown apps within a health care setting

Voting

4 votes
4 up votes
0 down votes

Campaign: Developers and HIPAA

How should developers execute audit logging?

Right now, developers expend a lot of time and resources (including the cost of data storage) on audit logging but don’t have assurance that they are in compliance. Could HHS provide an open source library of code to help developers understand how to execute audit logging.

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

3 votes
4 up votes
1 down votes

Campaign: Developers and HIPAA

Cloud computing

Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cases. Health technology companies are typically now 100 percent cloud-based. Many clients are doing some type of data analytics work, or offer cloud-based EHRs and medical devices. HHS should provide good guidance for companies that are cloud based and virtual. Most companies ...more »

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Government

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Campaign: Developers and HIPAA

De-identification of individuals' information

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Attorney/other compliance consultant

Voting

3 votes
3 up votes
0 down votes
Answered Questions