Health app developers: Questions about HIPAA? Browse Hot Questions

There is currently a lack of clarity about whether patient consent to communicate via (unencrypted) SMS is adequate to protect covered entities from HIPAA concerns. HHS (and medical research) has released data supported use of non-encrypted SMS, given its high accessibility to patients and its efficacy in achieving behavior change (e.g. medication compliance, smoking cessation). Many covered entitites feel that this ...more »

I understand there is some ambiguity regarding providers communicating PHI with patients, and I'm having some trouble interpreting how it applies to me. My provider developed software to engage patients via unencrypted SMS. My provider's medical practitioners will determine a patient is in need of monitoring and will develop or reuse a workflows to regularly request defined PHI from patients--such as diastolic and systolic ...more »

Private Practice Physicians have the opportunity by contracting with a large health care entity to get into electronic health records EHR. In wanting to satisfy the continuum of care one practice can see any treatment provided by another provider for their patient. They can access diagnostics within the health care entities network. All good things! My concern, though users sign off on a confidentiality agreement ...more »

What are the suggested encryption protocols that one should implement in order to fulfill the 164.312(a)(2)(iv)

Have you implemented a mechanism to encrypt and decrypt EPHI?

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed ...more »

Are there any specific requirements that we should keep in mind when putting together a solution to provide PHI to a customer via a chat channel? Would it even be feasible? Assuming customer is identified (previously registered or asked to provide dob or some personal information

Thanks

Our EHR solution is partnering with another health related software company with a cloud based API product to provide additional solutions for providers. This is a seamless connection. Some PHI would be stored on the API cloud based system while our EHR would also store PHI either on the client server or the cloud. I have several questions. I am assuming that the business associate between our clients/providers ...more »

Remote devices may not have access to the internet at all times and therefore may be operating offline. Data must be stored on the devices until connectivity is restored. What is the protocol for PHI data storage on offline mobile devices?

I am in the process of working with a hospital that is using a marketing software product to integrate forms into a new website project. We have recently got into the discussion regarding HIPAA compliance. It turns out the product's forms are not HIPAA compliant. With that being said the information being captured by these forms on the site are not intended to be capturing medical information. The purpose of these forms ...more »

Right now, developers expend a lot of time and resources (including the cost of data storage) on audit logging but don’t have assurance that they are in compliance. Could HHS provide an open source library of code to help developers understand how to execute audit logging.

We have a question regarding a vendor that claims that they don't need a BAA as they are a "conduit" and are exception. Is there someone at the OCR that could help us adjudicate this problem?

A consumer focused app receives a request from one of its users, a hospital, for a customization of the product. The customization is created in response to the user request and treated the same as other requests. The app developer then makes it available to their entire user base, not just the requester, and no fee is paid. Does this make the app developer a business associate of the covered entity?