In order to be HIPAA compliant, should all activity that occurs with in an app be logged, or should activity that exceeds the normal threshold be logged? For instance, users that access information in the application routinely during the course of their work day will evince a regular level of activity. The activity will indicate routine access of sensitive information. Should the log contain all of the users activity, ...more »
Developers and HIPAA
Hi, For a mobile chatbot health app that reads, transfers and stores (within and outside mobile phone in a cloud based server) sensor generated time series data of patients/consumers activities, events, etc.. which includes all data that can be captured by a mobile phone's, accelerometer, light, other sensors without patient/consumer intervention, can such sensor generated data be classified as personal identifiable information ...more »
Is a BA Contract required between a BA providing PHI to another BA of a CE? (for example, a CE requests their EHR vendor to send PHI to a data analytics firm OR a CE requests a data analytics firm to send PHI to another vendor doing work on the CE's behalf)?
I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The ...more »
A consumer focused app receives a request from one of its users, a hospital, for a customization of the product. The customization is created in response to the user request and treated the same as other requests. The app developer then makes it available to their entire user base, not just the requester, and no fee is paid. Does this make the app developer a business associate of the covered entity?
If a patient acknowledges receipt of a Notice of Privacy Practices when admitted to a Hospital, does the Hospital-owned outpatient pharmacy using the same electronic software have to provide a second Notice and obtain patient acknowledgement again? Can the original notice cover all outpatient departments under Hospital ownership?
Remote devices may not have access to the internet at all times and therefore may be operating offline. Data must be stored on the devices until connectivity is restored. What is the protocol for PHI data storage on offline mobile devices?
We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc. Is it a requirement that we purchase and make all of our employees use only their work computers for development and access to our db? It's understood that we need a robust password policies and defined lists of who has access to any sensitive data where ever they may be.
Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.
We have developed a platform to facilitate the scheduling of transport/rides for patients to provider appointments. The process works as follows. The provider logs into a secure site, to schedule a ride to an appointment for a patient. The platform, at the appropriate time, sends formation to a rider service provider (someone such as Lyft, Uber, etc..) to schedule the transport. The information provide the transport ...more »
Certain pediatric tasks require fairly precise ages, for example when evaluating jaundice one must know a baby's age in hours. What precautions are required to ensure that a birthdate cannot be inferred by usage data from an app that automates some of these tasks? For example, if a nurse enters in that a baby is 8 hours old, it seems a birthdate could be identified if the time of the nurse/app interaction was known. ...more »
What kind of limitations on role-based access does an EHR have to provide in order to comply with the “minimum necessary” standard? For example, if an employee only needs demographic or scheduling information to fulfill their job, does the EHR have to include mechanisms to prevent that employee from accessing other clinical information, or is having audit capability (combined with staff training and written policies) ...more »