If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed... more »
Is a state-run medical marijuana patient registry a covered entity? The Florida registry includes identifiable patient personal information and MMJ "prescription" information that is passed from the physician, to the DOH, to dispensing retail locations. Any physician, law enforcement officer, or retail location employee can find and view any patient's information. Here is the Florida physician user manual: http://www.flhealthsource.gov/ommu/forms/registry-user-guide-physician.pdf... more »
If a client or parents of the client (Under 18) are out of the country can an email give permission to the clinician to speak with another
third-party clinician until they are back in the country and can fill out an Authorization to disclose form?
I'm developing a calculator type app for a friend of mine who works at a skilled nursing facility. She works as a therapist and regularly needs to split the total amount of time she needs to work with her patients into multiple sessions, often switching back and forth between patients. I'm developing the app to automate the task of her writing down when she starts and ends each session with each of per patients... and... more »
I am looking to find a HIPAA regulation that tells me whether or not a healthcare facility needs to have all TIA/EIA-568-B certified data cables. I know this would fall under data integrity, but I cannot find where in HIPAA that it states that best practice or industry standards must be met.
I have mobile application for tracking physician compensation, and I'm not sure if it contains data points separately or together which would be considered PHI under HIPAA. The application is designed to help a physicians track procedures they perform. This app helps doctors keep tabs on their case log. The information collected is date of case, age of patient (but range, i.e age 1-5), date billing was submitted, diagnoses... more »
I am in the process of working with a hospital that is using a marketing software product to integrate forms into a new website project. We have recently got into the discussion regarding HIPAA compliance. It turns out the product's forms are not HIPAA compliant. With that being said the information being captured by these forms on the site are not intended to be capturing medical information. The purpose of these forms... more »
I believe this question is covered in the developer guidance (page 3), but as this document is 3+ years old, I was trying to determine if further guidance is available or if anything has changed with the decisions. We provide patient monitoring services to covered entities and enter into contracts/BAA's with them. One of these physicians is interested in providing a wearable tracker to his patients - the wearable would... more »
Healthcare providers place requests for interpreter services on a web portal that the state agency leases from a private vendor. Interpreters then log into the web portal to fish for appointments. They can access the web portal from their computers or mobile devices and do so frequently at public places such as coffee houses, libraries, waiting rooms, etc. where there is no expectation of privacy. All appointments are... more »
Our EHR solution is partnering with another health related software company with a cloud based API product to provide additional solutions for providers. This is a seamless connection. Some PHI would be stored on the API cloud based system while our EHR would also store PHI either on the client server or the cloud. I have several questions. I am assuming that the business associate between our clients/providers... more »
Our company allows employees to have company email on our BYOD's we are wonder what is needed to insure our email, and mobile devices are HIPPA compliant.
If a patient acknowledges receipt of a Notice of Privacy Practices when admitted to a Hospital, does the Hospital-owned outpatient pharmacy using the same electronic software have to provide a second Notice and obtain patient acknowledgement again? Can the original notice cover all outpatient departments under Hospital ownership?
I'm wondering if Verizon Home Phone connect with a analog phone hooked up to is violates HIPAA in any way. I'm more concerned about cellular technology VS POTS. There is no data transmission only voice.
We make medical devices and sell to CEs through a independent sales team/resellers. Often times where there are some issues with software that runs on devices -- the reseller obtains the corresponding record from CE and uploads to our Customer Support portal. This ticket can contain medical health information. As a device manufacturer are we required to adhere to HIPAA? We may get a few hundred such tickets from different... more »
I'm a web designer and have a client who has recently become hipaa compliant concerning his handling of email. He needed me to search his old emails from about 6 years ago for a certain file. Though he no longer uses that email address, the emails were still in webhosts database, and they were never hipaa compliant. He was wondering if he should just delete those old emails, since they are not hipaa compliant we thought... more »