Campaign: Developers and HIPAA

Providers feed PHI to your system, does this mean you are a BA?

You have an app to manage chronic care that is primarily driven by the patient and requires patient persmission to share any data, but where providers can enter some data, such as messages, or some information related to the patient's medication. The system is offered independently from a covered entity. Just because providers enter some PHI in the system, are you seen as a BA covered, or you are not a BA as long as ...more »

Submitted by

Who are your customers? Check all that apply : Other

What is your organization? : Developer of Mhealth apps (not mobile medical apps), Small company

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

What does "on behalf of a covered entity mean"

What triggers acting "on behalf of a covered entity", A, or B, or other? A. A covered entity uses your app (you are not paid or have signed a BA; they just go online and use it). B. Getting hired by them. We have an app that patients and providers use for chronic disease management. Does not integrate with EHR. Patients enter their progress and providers review it and can message back and forth. We think we are not ...more »

Submitted by

Who are your customers? Check all that apply : Other

What is your organization? : Developer of Mhealth apps (not mobile medical apps), Small company

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Does the name of a Health Insurance company constitute PHI?

Does having identifiable information of a person and the name of the health insurance company they are enrolled in (or name of other covered entity) constitute a PHI record? 1. Would a text message sent to an individual that includes the name of their health insurance company (but no other health information) be subject to HIPAA regulations? 2. Would a text message sent to an individual that includes the name of their ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Not for profit

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

When is PHI de-identified?

We have developed a platform to facilitate the scheduling of transport/rides for patients to provider appointments. The process works as follows. The provider logs into a secure site, to schedule a ride to an appointment for a patient. The platform, at the appropriate time, sends formation to a rider service provider (someone such as Lyft, Uber, etc..) to schedule the transport. The information provide the transport ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Health plans or health care providers

What is your organization? : Developer of Mhealth apps (not mobile medical apps), For profit, Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

J. Mark Tuthill, Divison Head, Pathology Informatics

We have a question regarding a vendor that claims that they don't need a BAA as they are a "conduit" and are exception. Is there someone at the OCR that could help us adjudicate this problem?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, ACO

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

Data Recording

I am a student creating an app for school project. I was wondering if I have to be HIPAA compliant. I am creating an app, where diabetics can store their glucose and calculate insulin dosage. None of the information will be sent to hospitals or physicians. How would HIPAA work in this case? Thank you ahead.

Submitted by

Who are your customers? Check all that apply : General Public

What is your organization? : Other

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

EHR Role-Based Controls

What kind of limitations on role-based access does an EHR have to provide in order to comply with the “minimum necessary” standard? For example, if an employee only needs demographic or scheduling information to fulfill their job, does the EHR have to include mechanisms to prevent that employee from accessing other clinical information, or is having audit capability (combined with staff training and written policies) ...more »

Submitted by

Who are your customers? Check all that apply : Health plans or health care providers

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Connected Device Maintenance via App

A physician provides their patient with a medical device (like a CPAP or Glucose Meter). The company that created the medical device wants to monitor the maintenance of the machine. All of the information collected by the device that is sent to the physician is covered under a business associate agreement. Can the company that created the medical device receive information about the maintenance/operation of the device ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

3 votes
3 up votes
0 down votes

Campaign: Developers and HIPAA

App Customization

A consumer focused app receives a request from one of its users, a hospital, for a customization of the product. The customization is created in response to the user request and treated the same as other requests. The app developer then makes it available to their entire user base, not just the requester, and no fee is paid. Does this make the app developer a business associate of the covered entity?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

2 votes
2 up votes
0 down votes

Campaign: Developers and HIPAA

Unencrypted Text without PHI?

Can a provider, or business associate acting on behalf of a provider, send an unencrypted text or email to a patient if the initial message does not contain protected health information and the patient requested the communication? If so, can the patient give the provider consent to use a third-party mailing service, even if the provider (or business associate of the provider) does not have a business associate agreement ...more »

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

BAAs with Vendors and Providers

If a company has a business associate agreement (BAA) with an electronic medical record (EMR) vendor, does that company also have to sign a BAA with each health care provider or provider group using that EMR in addition to their existing BAA with the vendor?

Submitted by

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor), Other, General Public, Patients/Individuals/Consumers

What is your organization? : Small company, Trade association

Voting

1 vote
1 up votes
0 down votes

Campaign: Developers and HIPAA

Cellular Voice HIPAA Compliant

I'm wondering if Verizon Home Phone connect with a analog phone hooked up to is violates HIPAA in any way. I'm more concerned about cellular technology VS POTS. There is no data transmission only voice.

Submitted by

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Government

Voting

1 vote
1 up votes
0 down votes