Our EHR solution is partnering with another health related software company with a cloud based API product to provide additional solutions for providers. This is a seamless connection. Some PHI would be stored on the API cloud based system while our EHR would also store PHI either on the client server or the cloud. I have several questions. I am assuming that the business associate between our clients/providers... more »
We're a non profit organisation seeking to deploy an open-source health management application for use. We classify as a Business Associate as we provide services for a health care provider under HIPAA. We urgently need to know what exactly are the requirements a health information system needs to meet in order to satisfy HIPAA. It would be helpful to know if there's some document or checklist to work with. We'd also... more »
We have developed a platform to facilitate the scheduling of transport/rides for patients to provider appointments. The process works as follows. The provider logs into a secure site, to schedule a ride to an appointment for a patient. The platform, at the appropriate time, sends formation to a rider service provider (someone such as Lyft, Uber, etc..) to schedule the transport. The information provide the transport... more »
You have an app to manage chronic care that is primarily driven by the patient and requires patient persmission to share any data, but where providers can enter some data, such as messages, or some information related to the patient's medication. The system is offered independently from a covered entity. Just because providers enter some PHI in the system, are you seen as a BA covered, or you are not a BA as long as... more »
A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness provider suggest to a patient that they use an app (the app was not developed for them and there has been no communication with the app company that the providers are going to use the app) to gather health data to share with them and the app company suffers a breach of information.... more »
I am a student creating an app for school project. I was wondering if I have to be HIPAA compliant. I am creating an app, where diabetics can store their glucose and calculate insulin dosage. None of the information will be sent to hospitals or physicians. How would HIPAA work in this case? Thank you ahead.
We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc. Is it a requirement that we purchase and make all of our employees use only their work computers for development and access to our db? It's understood that we need a robust password policies and defined lists of who has access to any sensitive data where ever they may be.
Data masking or controlled access provides a means for patients to control disclosure of select information within the EHR. http://www.nature.com/gim/journal/v10/n7/pdf/gim200876a.pdf Can patients request that access to sensitive data be controlled? Can patients request that only certain people can access their PHI? Can they request an audit of how their data has been shared by a covered entity? If so, do (or should)... more »
I work for a software manufacturer that produces software that interfaces our customers various clinical systems to their EHR's and other applications. We do not store, maintain, transmit or manage PHI for our customers. We do configure their HIT interfaces that manage, transmit and modify PHI. Our technicians also routinely see PHI as they are helping customers troubleshoot issues and perform configuration changes.... more »
I am looking to find a HIPAA regulation that tells me whether or not a healthcare facility needs to have all TIA/EIA-568-B certified data cables. I know this would fall under data integrity, but I cannot find where in HIPAA that it states that best practice or industry standards must be met.
In order to be HIPAA compliant, should all activity that occurs with in an app be logged, or should activity that exceeds the normal threshold be logged? For instance, users that access information in the application routinely during the course of their work day will evince a regular level of activity. The activity will indicate routine access of sensitive information. Should the log contain all of the users activity,... more »
Assuming all other identifiers are removed from the data, which dates are considered PHI? The de-identification standard for safe harbor indicates the following must be removed: "(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such... more »
Can someone assist me? We are working with a client of ours who would like us to create a billing application that will be a web based system. It will deal with patient and insurance carrier data. Where do we start? What do we need to do when building the about? Technical? What do we need to do from administration side? We will be dealing with UB-04 for billing.
When implementing external services with clients (such as exposing an API to external clients), are there any HIPAA rules/regulations around testing the implementation in a non-prod environment before going live in production? Are there any concerns with PHI or security with testing an implementation (of say an API with an external client) directly in a production environment?
Having a hard time finding clarity on cloning access in medical applications. This is an internal question to an organization. If I create an application for users that contains a lot of PHI, am I allowed to use cloning to give access to the users? For example, if a user is a pharmacist and another pharmacist in a different pharmacy requests access, can I give them the option on the request form to clone the other... more »