I have a web application that allows a patient and a doctor to create an account. the patient can upload his medical history and associate scanned files to his account. the patient then selects a doctor within the web application and invites him to have a look at his case files.
we are hosting this on a hipaa compliant environment under a BAA agreement. I am the only administrator who manages the system and I manage the users on this system. the application has been extensively tested to make sure that the user who uploaded the PHI data under his account is the only person who can give access to his data to any other user on the system i.e. the doctor. he can also revoke access at anytime.
we also inform the user (patient) about when he about to create a new case in the system, that this is a HIPAA compliant environment, mask as personally identifiable information before scanning the medical reports into the CASE.
Is my application HIPAA compliant??
If a user by mistake gives access to a doctor who is NOT supposed to have access to his CASE. Is it a data breach? will we be responsible for such a user mistake?
If the user gives access to his case file to a doctor and if the doctor downloads the file to his laptop. is this a data breach? will we be responsible for such a user mistake?
We warn the user with a pop up message "this is HIPAA compliant environment, please mask your personal identification information before you upload the data"
If we are already doing this, can I skip the expensive HIPAA hosting and use the regular hosting? i.e. we are warning the user from uploading PHI information ahead of time but to protect our backs we are using this expensive HIPAA compliant hosting. Do you think we need this HIPAA compliant hosting??
Your feedback is very important to us.
Thanks in advance.