Answered Questions


HIPAA E-Signature Requirements

Q: We are a small organization starting up a tele-health initiative. We would like to deliver a copy of our Notice of Privacy Practices electronically and have patients acknowledge receipt via check box prior to completing our online intake forms. This method is used for acceptance when one downloads software online. We are having a difficult time understanding the requirements for this. Can it be a check box and/or typed name on a form? Does it need to be legally binding? Do we need to electronically track the signature back to a specific person? As long as we can prove they check the box prior to providing us information, will that would suffice for acknowledgement of receipt?

A: We have addressed this topic on the OCR website in the FAQs. For notice delivered electronically, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice. A covered entity is not required to obtain the individual’s legally valid electronic signature for this purpose. The covered entity must retain any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment. See http://www.hhs.gov/hipaa/for-professionals/faq/333/does-hipaa-permit-heath-care-providers-to-obtain-an-electronic-acknowlegement-of-the-notice/index.html.

Provider suggested use of an App - there is a breach

Q: A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness provider suggest to a patient that they use an app (the app was not developed for them and there has been no communication with the app company that the providers are going to use the app) to gather health data to share with them and the app company suffers a breach of information. What is the liability to the providers that suggested the patient use the app that was breached?

A: The “Health App Use Scenarios and HIPAA” guidance, available on this portal home page and helpful links page, poses a scenario in which a covered provider recommends a particular app for her patient to use to capture and share information with the provider. In this scenario, the app developer is not a business associate of the covered provider. If an app developer is not a business associate of a provider, a breach experienced by the app developer does not create any breach notification responsibilities for the provider. Take a look at the guidance, and also the “what federal laws apply to you” tool on the helpful links page.

Unencrypted PHI in the Cloud

Q: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some data remanence, thus leaving PHI on the Cloud. NIST Special Publication 800-80 addresses this by suggesting CEs use crypto-erase. What if the CE previously sent unencrypted PHI to the Cloud? Is it as simple as extending the protections of the contract to the information and limiting further uses and disclosures to those purposes that make the return or destruction of the information infeasible?

A: In short, yes, the protections of the contract must be extended and future use and disclosures limited. In this question, the cloud service provider is a business associate of the CE because it holds or processes ePHI on its behalf. A business associate agreement between a covered entity and a business associate, or a business associate and a subcontractor, must, if feasible, require the business associate to return or destroy all ePHI at termination. If such return or destruction is not feasible, the protections of the business association agreement must be extended to the information and further uses and disclosures limited to those purposes that make the return or destruction of the information infeasible. You can find more information about business associate compliance through the helpful links page. Update: Please consult the HIPAA and Cloud Computing guidance: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.

Sale of Data Collected by a Consumer Targeted App

Q: We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-identify the information the app collects to sell to third parties. Do we follow the same HIPAA de-identification processes that a covered entity or business associate would follow?

A: If a developer is not a covered entity or a business associate, HIPAA’s regulations – including the provisions on de-identification - do not apply. (Note that the Health App Use Scenarios & HIPAA guidance provides four examples of consumer apps where the app developer would not be a covered entity or business associate.) However, the developer could choose to use HIPAA’s de-identification provisions to reduce the risk of re-identification of consumers through the sale of health information. Consider what other federal consumer protection laws may apply; use the tool available through the What federal laws apply to you? link. Also see the OCR guidance on de-identification. http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/.

Are We a Covered Entity?

Q: A business associate provides no medical advice, medical services, medical devices, etc. But it talks to patients of the covered entity. Those patients tell the business associate what prescriptions they have for prescription drugs and when they must be refilled. The business associate faxes the refill request to the pharmacy. Does that make the business associate a covered entity?

A: No. Conducting prescription management activities on behalf of or as a service to a covered entity does not make the business associate a covered entity. Take a look to our responses to the “are we a covered entity” question for resources, also the helpful links page.

Are Cloud Storage providers BAs?

Q: Is a company that provides encrypted cloud storage for a covered entity a BA if it does not have the encryption key and has no ability to access the IIHI?

A: This important question will be addressed in upcoming cloud guidance. We will be sure to announce the release of the guidance on this site, and provide a link. Update: Please consult our cloud computing guidance, issued October 2016: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.

Risk Assessment Tool

Q: Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are unable to use the current security risk assessment tool because they believe it is needlessly cumbersome, redundant, and designed for Covered Entities. Do you recommend that Business Associates start to use private tools instead of the current tool for risk assessments? If so, would OCR consider reviewing and endorsing third party risk assessment tools for Business Associates?

A: You can find links to three risk analysis tools, as well as other guidance on Security Rule compliance, at http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.

HIPAA Training

Q: Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their employees receive meets the standards expected by OCR. Similar to the practices of OSHA, can OCR provide a standardized training program on key HIPAA issues?

A: The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities. However, a good place to start looking for resources for your employee training is https://www.healthit.gov/providers-professionals/guide-privacy-and-security-electronic-health-information. This guide provides a good beginner's overview of what the HIPAA Rules require, and the page has links to security training games, risk assessment tools and other aids. Also look at the resources available through the helpful links page.

Audits

Q: With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding the specific requirements of the audit process? What can a Business Associate do to prepare for an audit, and what should be expected?

A: Phase Two of OCR’s HIPAA audit program is currently underway. OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools. We encourage covered entities and business associates to review their compliance programs, ensure that they have implemented complete risk analysis and risk management processes, and compile a record of all their business associates. The audit protocols can be used for self assessment. For more information, including a link to the protocols that will be used to assess compliance, go to http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

Does an online appointment scheduler need to abide by HIPAA?

Q: I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The concern would be their personal info, their name, email and phone and apt date/time. Would this system need to abide by HIPPA guide lines? or special confidentiality rules?

A: An online scheduler that creates, receives, maintains, or transmits identifiable patient information as part of providing appointment scheduling services to a covered health care provider is a business associate of the health care provider and subject to HIPAA. (E.g., a calendar application run from a vendor’s computers and delivered by the vendor’s remote servers over the Internet.) From the OCR website: When identifying information, such as personal names, residential addresses, or phone numbers, are listed with health condition, health care provision or payment data, such as an indication that the individual was or will be treated at a certain clinic, then this information would be protected health information (PHI) and protected by the HIPAA Rules. Click on “what information is protected” at http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html, and browse the material available here through the Helpful Links.

Developer and HIPAA

Q: Assume you have a software company that will be using a smartphone application and related device to record and store arguably protected health information.

1. Assume the software company stores the information on its own servers. The company is not subject to HIPAA (privacy or security rules) because it isn't a covered entity or a business associate of a covered entity, correct?

2. Now assume that the software company uses a 3rd party data storage provider to store all of the arguably protected health information. Again, neither the company nor the 3rd party provider are subject to HIPAA (privacy or security rules) because they aren't covered entities or a business associate of a covered entities, correct?

A: Take a look at the app developer scenario guidance posted on the welcome page of this site. It contains a range of scenarios and questions to help you analyze whether you have HIPAA responsibilities for the information. Also, you will want to take a look at the Mobile Health App Tool, which you can reach on our links page.

De-identification of individuals' information

Q: Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service?  

Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified PHI (assuming they have been directed by the covered entity to de-identify the information in the first place)?

A: The Privacy Rule does not restrict how a covered entity may use or disclose information that meets the Rule’s standards for de-identified health information, as it is no longer considered protected health information. A covered entity may use a business associate to de-identify PHI on its behalf only to the extent such activity is authorized by the business associate agreement. Guidance about the de-identification standard is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html.

Teaching Hospitals and HIPAA Privacy

Q: I work for a University medical school that employs physicians as faculty and who teach at the hospital. I would like to know more about how far the ability access patient's records for educational purposes reaches. For example, if a Radiologist faculty member treated several patients with interesting or notable conditions and wanted to use the films as a teaching guide for residents, then what guidance or protocols should that faculty member follow that would permit the residents to access that patient's medical records to view the films without violating HIPAA? The residents were not treating physicians, but the faculty member was; or maybe only one or two residents were involved in the actual care of the patient but several others were not. Does the faculty member have to log-in to the electronic medical record under their user id, deidentify all of the patient's PHI, and then show the residents the films? Can the faculty physician simply give the patient's MRN to the residents and tell them to look up the films using their own user id's since it's for educational purposes?

A: Guidance on how teaching hospitals may use and disclose protected health information to train health care professionals and other members of their workforce can be found through the links below.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/usesanddisclosuresfortpo.html
http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/209.html
http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/196.html

Are we a covered entity?

Q: How can we determine if we’re a covered entity? The resources to make that determination are expensive – i.e. law firms

A: Only health plans, health care clearinghouses and most health care providers are covered entities under HIPAA. You can learn more about what types of organizations fit into these categories http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html. You can follow the steps of this chart https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html to figure out your own status. However, even if you are not a covered entity, you may be a business associate required to comply with certain provisions of the HIPAA Rules. In general, a business associate is a person [or entity] who creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity or another business associate. PHI is defined in the HIPAA regulations, and, in general, is identifiable health information. So, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are business associates. For example, a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.
Find out which federal laws you need to follow by using the new Mobile Health Apps Interactive Tool.

I am happy to provide updated resources! The Federal Trade Commission (FTC) has created a new web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them. The FTC developed the tool in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA). You can get find this tool on our helpful links page.

Cloud Computing

Q: Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cases. Health technology companies are typically now 100 percent cloud-based. Many clients are doing some type of data analytics work, or offer cloud-based EHRs and medical devices. HHS should provide good guidance for companies that are cloud based and virtual. Most companies now don’t necessarily have a physical location, everyone is working from home, and accessing data via VPN (virtual private network). The current rule just doesn’t apply to these new business models.

A: From OCR: This important question will be addressed in upcoming cloud guidance. We will be sure to announce the release of the guidance on this site, and provide a link. Update: Please consult our cloud computing guidance, issued October 2016: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.

What part of the environment has to be compliant?

Q: Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use an API to store certain kinds of data? If you’re building modern technologies, you’re relying on a lot of third party (likely API) based services; mostly cloud based services. So which aspects of those need to be compliant?

A: Both business associates and covered entities must consider where and how they use, maintain and disclose protected health information in order to determine how to comply with the HIPAA Rules.

The business associate is responsible for ensuring its compliance with the applicable HIPAA standards for all aspects of the environment that involve PHI and the provision of business associate services or activities.

The HIPAA Rules permits a covered entity that conducts both covered and non-covered functions to elect to be a “hybrid entity.”(The activities that make a person or organization a covered entity are its “covered functions.”) To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “health care components.” (For example, a chain drugstore could elect to be a hybrid entity and so designate its pharmacy-related activities as its health care component and exclude its retail operations.) After making this designation, most of the requirements of the Privacy and Security Rules will apply only to the health care components. The covered entity must ensure that it does not share PHI from its health care component with other components of its business (unless the Privacy Rule would permit such sharing with a separate legal entity). A covered entity that does not make this designation is subject in its entirety to the HIPAA Rules. For more information search for “hybrid” in the FAQs http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html.

Help with business associate agreements

Q: There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics developers care about, such as cloud storage & PGHD, and a lack of bargaining power on the part of startups. This has led to many challenges for the industry, resulting in high legal fees which may be a barrier to entry for many companies. HHS should issue sample BAA language around these common topics, to reduce the need for customized legal work.

A: You can find sample BAA language on the OCR website; we have not developed provisions specific to particular services or industries. However, entities are welcome to take the sample language and tailor it to their needs. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

Can HIPAA address patient generated data?

Q: Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.

A: Information created or held by individuals/patients/consumers is not subject to HIPAA unless and until it is received by a covered entity (or a business associate). HIPAA does not prevent hospitals, medical practices and other covered entities from receiving patient generated health data, whether by phone, paper, fax, online patient facing portal, or mHealth application. Note that under the HIPAA Security Rule, covered entities and business associates need to conduct a security risk analysis to evaluate and address the potential risks of any solutions deployed (e.g., web based portal, data transfer application, direct network connection, etc.) to receive and process ePHI from external sources.

To more fully respond to this question, we created the "Health App Use Scenarios and HIPAA" guidance, which takes on individual/patient/consumer generated health data and relationships between the individual, the provider and the app. You can find it on the portal home page and in helpful links.