Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use an API to store certain kinds of data? If you’re building modern technologies, you’re relying on a lot of third party (likely API) based services; mostly cloud based services. So which aspects of those need to be compliant?
What are the suggested encryption protocols that one should implement in order to fulfill the 164.312(a)(2)(iv)
Have you implemented a mechanism to encrypt and decrypt EPHI?
Is a company that provides encrypted cloud storage for a covered entity a BA if it does not have the encryption key and has no ability to access the IIHI?
I have several questions.
I am assuming that the business associate between our clients/providers... more »