Developers and HIPAA

HIPAA Program Compliance Manger

This was addressed on your old FAQ page for a number of years and it seems to have disappeared. Can "open format" postcards still be used to remind patients of upcoming appointments as long as HIPAA's minimum necessary standard is observed? Something like, "Dear Sue, We would like to remind you of your upcoming appointment on Tuesday, September 12th at 2:20 pm"?

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Other, Small company, For profit, Your products send, receive, and/or view data/information to/from an EHR or related platform, Cloud service provider

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Hospital Outpatient Pharmacy Notice of Privacy Practices

If a patient acknowledges receipt of a Notice of Privacy Practices when admitted to a Hospital, does the Hospital-owned outpatient pharmacy using the same electronic software have to provide a second Notice and obtain patient acknowledgement again? Can the original notice cover all outpatient departments under Hospital ownership?

Submitted by

Who are your customers? Check all that apply : General Public, Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit

Voting

3 votes
3 up votes
0 down votes

Developers and HIPAA

What does "on behalf of a covered entity mean"

What triggers acting "on behalf of a covered entity", A, or B, or other? A. A covered entity uses your app (you are not paid or have signed a BA; they just go online and use it). B. Getting hired by them. We have an app that patients and providers use for chronic disease management. Does not integrate with EHR. Patients enter their progress and providers review it and can message back and forth. We think we are not ...more »

Submitted by

Who are your customers? Check all that apply : Other

What is your organization? : Developer of Mhealth apps (not mobile medical apps), Small company

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Notifications

A NYS licensed facility providing addiction treatment services has been advised that when a patient has been referred for treatment by another entity (hospital, family agency, courts, etc.) notice that the patient has presented for treatment may not be given to the referring agency without the written permission of the patient. No other PHI would be provided other than the notification.

Is this true?

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit, Consumer advocacy organization

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

'Medical Info' field in attendance mobile app

We are working on a mobile app that tracks attendance for fitness instructors/martial arts schools. Instructors can create classes and save their students in them. Part of the data entered for a student includes a field called Med Info, which would be along the sorts "Has asthma" or "Allergic to peanuts" just to give general examples. This is done so instructors can be prepared and aware of any health conditions with ...more »

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Software developer not specific to health care

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Cellular Voice HIPAA Compliant

I'm wondering if Verizon Home Phone connect with a analog phone hooked up to is violates HIPAA in any way. I'm more concerned about cellular technology VS POTS. There is no data transmission only voice.

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Government

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Text messaging and HIPAA

There is currently a lack of clarity about whether patient consent to communicate via (unencrypted) SMS is adequate to protect covered entities from HIPAA concerns. HHS (and medical research) has released data supported use of non-encrypted SMS, given its high accessibility to patients and its efficacy in achieving behavior change (e.g. medication compliance, smoking cessation). Many covered entitites feel that this ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), General Public, Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit, Developer working on homegrown apps within a health care setting

Voting

21 votes
21 up votes
0 down votes

Developers and HIPAA

Nonprofit Emergency Medical Services

Is a nonprofit EMS company (501c3) required to have a notice of privacy practices if it is an emergency response group? What aspects of HIPAA are applicable to a nonprofit EMS group?

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Not for profit

Voting

0 votes
0 up votes
0 down votes

Developers and HIPAA

HIPAA compliance with an task list from a provider?

I'm working on an app for a therapist to send a list of exercises to their patient's mobile device from their desktop for the patient to perform at home. The therapist can view if the patient is checking off their exercises and reporting thier completion each day. No information is being transmitted in regards to the patient's diagnosis or condition, only the list of exercises to be performed at home and the patient's ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Developer of Mhealth apps (not mobile medical apps), Small company, For profit, Developer working on homegrown apps within a health care setting

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

J. Mark Tuthill, Divison Head, Pathology Informatics

We have a question regarding a vendor that claims that they don't need a BAA as they are a "conduit" and are exception. Is there someone at the OCR that could help us adjudicate this problem?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, ACO

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Updated password requirements outlined in NIST 800-63-B

Can organizations adopt the less stringent password measures recently updated in NIST 800-63-B and still be compliant under the HIPAA security rule?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), General Public, Health plans or health care providers, Patients/Individuals/Consumers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Is a BAA required with SMS service

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed ...more »

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit

Voting

6 votes
6 up votes
0 down votes