You have an app to manage chronic care that is primarily driven by the patient and requires patient persmission to share any data, but where providers can enter some data, such as messages, or some information related to the patient's medication. The system is offered independently from a covered entity. Just because providers enter some PHI in the system, are you seen as a BA covered, or you are not a BA as long as ...more »
What triggers acting "on behalf of a covered entity", A, or B, or other? A. A covered entity uses your app (you are not paid or have signed a BA; they just go online and use it). B. Getting hired by them. We have an app that patients and providers use for chronic disease management. Does not integrate with EHR. Patients enter their progress and providers review it and can message back and forth. We think we are not ...more »
Does having identifiable information of a person and the name of the health insurance company they are enrolled in (or name of other covered entity) constitute a PHI record? 1. Would a text message sent to an individual that includes the name of their health insurance company (but no other health information) be subject to HIPAA regulations? 2. Would a text message sent to an individual that includes the name of their ...more »
We have developed a platform to facilitate the scheduling of transport/rides for patients to provider appointments. The process works as follows. The provider logs into a secure site, to schedule a ride to an appointment for a patient. The platform, at the appropriate time, sends formation to a rider service provider (someone such as Lyft, Uber, etc..) to schedule the transport. The information provide the transport ...more »
Certain pediatric tasks require fairly precise ages, for example when evaluating jaundice one must know a baby's age in hours. What precautions are required to ensure that a birthdate cannot be inferred by usage data from an app that automates some of these tasks? For example, if a nurse enters in that a baby is 8 hours old, it seems a birthdate could be identified if the time of the nurse/app interaction was known. ...more »
I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services such as customer support ticketing that aren't meant to collect PHI, but may incidentally. (E.g. "[Covered entity] entered my profile information wrong and I don't know how to change it. It should say...") These subcontractors meet the NIST definition of a cloud service provider, ...more »
I see a great deal of variation from organization to organization on what constitutes PHI in the digital realm. I have several scenarios that I'd like your thought on: - Is public website browsing behavior considered PHI as is suggested in the current Winston Smith V. Facebook case (http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=2175&context=historical)? This could impact a number of common services used ...more »
The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patients, provide a patient portal, etc. - classic practice management tasks. The EHR vendor has a BAA with a company which hosts its web application and the encrypted database. My question is, what happens to the PHC's electronically stored ePHI if the PHC's account is cancelled and/or ...more »
Does HIPAA have any restrictions on offshore development and/or customer support functions if the parent company is based in U.S. and/or if the foreign entity is owned and/or controlled by an entity based in U.S.?
We have a question regarding a vendor that claims that they don't need a BAA as they are a "conduit" and are exception. Is there someone at the OCR that could help us adjudicate this problem?
I am a student creating an app for school project. I was wondering if I have to be HIPAA compliant. I am creating an app, where diabetics can store their glucose and calculate insulin dosage. None of the information will be sent to hospitals or physicians. How would HIPAA work in this case? Thank you ahead.
What kind of limitations on role-based access does an EHR have to provide in order to comply with the “minimum necessary” standard? For example, if an employee only needs demographic or scheduling information to fulfill their job, does the EHR have to include mechanisms to prevent that employee from accessing other clinical information, or is having audit capability (combined with staff training and written policies) ...more »