We are a small company but have our software in over 100 large hospitals. Our developers have full read-write access to all data in the production environment from the day they start (all environments actually). We also have un-encrypted / un-scrambled data in our stage and our certification environments. Each developer has 2 domain accounts, both have full read-write access to all data, an administrative account allows... more »
The topic came up in a planning session around the point in time when a PR becomes a PR. Let's say we are writing an app for first responders. If the user collects name, date of birth, and vital signs. Does the PR become legally protected as soon as the First name is collected, or is there some threshold of data size(fields, values, etc.) that indicates that the PR has been created in legal terms for HIPPA protection?... more »
Is a state-run medical marijuana patient registry a covered entity? The Florida registry includes identifiable patient personal information and MMJ "prescription" information that is passed from the physician, to the DOH, to dispensing retail locations. Any physician, law enforcement officer, or retail location employee can find and view any patient's information. Here is the Florida physician user manual: http://www.flhealthsource.gov/ommu/forms/registry-user-guide-physician.pdf... more »
What triggers acting "on behalf of a covered entity", A, or B, or other? A. A covered entity uses your app (you are not paid or have signed a BA; they just go online and use it). B. Getting hired by them. We have an app that patients and providers use for chronic disease management. Does not integrate with EHR. Patients enter their progress and providers review it and can message back and forth. We think we are not... more »
We have a question regarding a vendor that claims that they don't need a BAA as they are a "conduit" and are exception. Is there someone at the OCR that could help us adjudicate this problem?
We're a non profit organisation seeking to deploy an open-source health management application for use. We classify as a Business Associate as we provide services for a health care provider under HIPAA. We urgently need to know what exactly are the requirements a health information system needs to meet in order to satisfy HIPAA. It would be helpful to know if there's some document or checklist to work with. We'd also... more »
How can we determine if we’re a covered entity? The resources to make that determination are expensive – i.e. law firms
Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are unable to use the current security risk assessment tool because they believe it is needlessly cumbersome, redundant, and designed for Covered Entities. Do you recommend that Business Associates start to use private tools instead of the current tool for risk assessments? If so,... more »
I see a great deal of variation from organization to organization on what constitutes PHI in the digital realm. I have several scenarios that I'd like your thought on: - Is public website browsing behavior considered PHI as is suggested in the current Winston Smith V. Facebook case (http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=2175&context=historical)? This could impact a number of common services used... more »
A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness provider suggest to a patient that they use an app (the app was not developed for them and there has been no communication with the app company that the providers are going to use the app) to gather health data to share with them and the app company suffers a breach of information.... more »
I believe this question is covered in the developer guidance (page 3), but as this document is 3+ years old, I was trying to determine if further guidance is available or if anything has changed with the decisions. We provide patient monitoring services to covered entities and enter into contracts/BAA's with them. One of these physicians is interested in providing a wearable tracker to his patients - the wearable would... more »
Can organizations adopt the less stringent password measures recently updated in NIST 800-63-B and still be compliant under the HIPAA security rule?
If a health care provider who is a covered entity were to create a general fitness/wellness app and silo off any collected data from their covered operations, could it be a valid hybrid entity? For instance, if a hospital creates a free meditation app but does not prescribe it as treatment, nor convey any data the app ingests back to medical professionals or EMRs, must the app still be HIPAA compliant? What are the criteria... more »
I work for a software manufacturer that produces software that interfaces our customers various clinical systems to their EHR's and other applications. We do not store, maintain, transmit or manage PHI for our customers. We do configure their HIT interfaces that manage, transmit and modify PHI. Our technicians also routinely see PHI as they are helping customers troubleshoot issues and perform configuration changes.... more »
Right now, developers expend a lot of time and resources (including the cost of data storage) on audit logging but don’t have assurance that they are in compliance. Could HHS provide an open source library of code to help developers understand how to execute audit logging.