kudos icon +

Developers and HIPAA

Wearables provided by covered entity

I believe this question is covered in the developer guidance (page 3), but as this document is 3+ years old, I was trying to determine if further guidance is available or if anything has changed with the decisions.

We provide patient monitoring services to covered entities and enter into contracts/BAA's with them. One of these physicians is interested in providing a wearable tracker to his patients - the wearable would... more »

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

BAA and CI/CD tools - application source code that handles PHI

Many third party tools exist for Continuous Integration and Continuous Development (CI/CD). While an organization may maintain a BAA with their public cloud provider; many of these third party tools do not offer, nor will they engage in a BAA with customers.
Is a BAA required for the use of these tools, specifically when these tools are handling the compiling, build pipelines for code sources and virtualization container... more »

Voting

2 votes
2 up votes
0 down votes
kudos icon +

Developers and HIPAA

iOS keychains for saving pass/access token is HIPAA complaint?

I am building a mobile application to facilitate the patients and I am accessing the PHI through RESTful web apis.

I want to clarify one thing that I surfed a lot on google recently is, if I save patient's password or access token for re-authentication in iOS keychains, then may I consider this approach or this would be vulnerable to save the passwords in iOS keychains and violates HIPAA compliance act?

Voting

2 votes
2 up votes
0 down votes
kudos icon 1

Developers and HIPAA

Medical Device Data

Scenario 1: Manufacturer makes an implantable device that collects data from the patient in order to function as intended. This data is uploaded automatically to servers of the manufacturer. As part of the device's design, a platform processes the raw data and sends the processed data to the physician. No analysis or clinical conclusions are conducted on the raw data--it is organized into a readable format for the physician... more »

Voting

3 votes
3 up votes
0 down votes
kudos icon +

Developers and HIPAA

Which Dates are considered PHI?

Assuming all other identifiers are removed from the data, which dates are considered PHI? The de-identification standard for safe harbor indicates the following must be removed:

"(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such... more »

Voting

2 votes
2 up votes
0 down votes
kudos icon +

Developers and HIPAA

web based CASE Management Tool

I have a web application that allows a patient and a doctor to create an account. the patient can upload his medical history and associate scanned files to his account. the patient then selects a doctor within the web application and invites him to have a look at his case files.

we are hosting this on a hipaa compliant environment under a BAA agreement. I am the only administrator who manages the system and I manage... more »

Voting

4 votes
4 up votes
0 down votes
kudos icon +

Developers and HIPAA

Record, transfer and store mobile inbuilt sensor data

Hi, For a mobile chatbot health app that reads, transfers and stores (within and outside mobile phone in a cloud based server) sensor generated time series data of patients/consumers activities, events, etc.. which includes all data that can be captured by a mobile phone's, accelerometer, light, other sensors without patient/consumer intervention, can such sensor generated data be classified as personal identifiable information... more »

Voting

2 votes
2 up votes
0 down votes
kudos icon +

Developers and HIPAA

HIPAA Program Compliance Manger

This was addressed on your old FAQ page for a number of years and it seems to have disappeared. Can "open format" postcards still be used to remind patients of upcoming appointments as long as HIPAA's minimum necessary standard is observed? Something like, "Dear Sue, We would like to remind you of your upcoming appointment on Tuesday, September 12th at 2:20 pm"?

Voting

2 votes
2 up votes
0 down votes
kudos icon +

Developers and HIPAA

Are CSPs that don't enforce ToS tacitly accepting a BA role?

I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance... more »

Voting

2 votes
2 up votes
0 down votes
kudos icon +

Developers and HIPAA

App Customization

A consumer focused app receives a request from one of its users, a hospital, for a customization of the product. The customization is created in response to the user request and treated the same as other requests. The app developer then makes it available to their entire user base, not just the requester, and no fee is paid. Does this make the app developer a business associate of the covered entity?

Voting

2 votes
2 up votes
0 down votes