What kind of limitations on role-based access does an EHR have to provide in order to comply with the “minimum necessary” standard? For example, if an employee only needs demographic or scheduling information to fulfill their job, does the EHR have to include mechanisms to prevent that employee from accessing other clinical information, or is having audit capability (combined with staff training and written policies)... more »
We are working on a mobile app that tracks attendance for fitness instructors/martial arts schools. Instructors can create classes and save their students in them. Part of the data entered for a student includes a field called Med Info, which would be along the sorts "Has asthma" or "Allergic to peanuts" just to give general examples. This is done so instructors can be prepared and aware of any health conditions with... more »
I am a student creating an app for school project. I was wondering if I have to be HIPAA compliant. I am creating an app, where diabetics can store their glucose and calculate insulin dosage. None of the information will be sent to hospitals or physicians. How would HIPAA work in this case? Thank you ahead.
This was addressed on your old FAQ page for a number of years and it seems to have disappeared. Can "open format" postcards still be used to remind patients of upcoming appointments as long as HIPAA's minimum necessary standard is observed? Something like, "Dear Sue, We would like to remind you of your upcoming appointment on Tuesday, September 12th at 2:20 pm"?
I'm wondering if Verizon Home Phone connect with a analog phone hooked up to is violates HIPAA in any way. I'm more concerned about cellular technology VS POTS. There is no data transmission only voice.
Is Skype or any other video chat app HIPAA-compliant? Which video chat apps can currently be used for telehealth treatment activities involving general physicians or involving mental health professionals?
If a health care provider who is a covered entity were to create a general fitness/wellness app and silo off any collected data from their covered operations, could it be a valid hybrid entity? For instance, if a hospital creates a free meditation app but does not prescribe it as treatment, nor convey any data the app ingests back to medical professionals or EMRs, must the app still be HIPAA compliant? What are the criteria... more »
You have an app to manage chronic care that is primarily driven by the patient and requires patient persmission to share any data, but where providers can enter some data, such as messages, or some information related to the patient's medication. The system is offered independently from a covered entity. Just because providers enter some PHI in the system, are you seen as a BA covered, or you are not a BA as long as... more »
As a software developer in the role of business associate I have read about what needs to be captured and stored by software that handles PHI for a covered entity. To be a good vendor, we want to provide our customer the requisite log data about user credentialing (adds, permissions, changes, disables, deletes), and about PHI activity within our software product. We currently log all changes to PHI made by our product.... more »
Our company allows employees to have company email on our BYOD's we are wonder what is needed to insure our email, and mobile devices are HIPPA compliant.
I am looking to find a HIPAA regulation that tells me whether or not a healthcare facility needs to have all TIA/EIA-568-B certified data cables. I know this would fall under data integrity, but I cannot find where in HIPAA that it states that best practice or industry standards must be met.
I'm working on a free web application for use by healthcare providers that tracks the usage of antibiotics. I intend to make the application available to anyone as a tool without entering into any formal agreements. The tool would track such information as: facility census, medication name, dosage, date given, etc. patient age, gender, height, weight, etc. The tool would NOT use identifying information such as name,... more »
I have a web application that allows a patient and a doctor to create an account. the patient can upload his medical history and associate scanned files to his account. the patient then selects a doctor within the web application and invites him to have a look at his case files. we are hosting this on a hipaa compliant environment under a BAA agreement. I am the only administrator who manages the system and I manage... more »
We have implemented a secure text messaging service for our application. It is quite possible that our customers will communicate ePHI to us using this secure service. Are we required to audit log all messages along with who read the message just in case some of the messages may have ePHI in them?
If a company has a business associate agreement (BAA) with an electronic medical record (EMR) vendor, does that company also have to sign a BAA with each health care provider or provider group using that EMR in addition to their existing BAA with the vendor?