Developers and HIPAA

Facility Directories

Can someone elaborate on what is allowed for facility directories under 164.510? The regulations say the directory can give the recipient the location of the patient (assuming all other requirements are met)? Can a covered entity (or its business associate) also give directions to the location? Can those directions be transmitted electronically (e.g., via e-mail or otherwise) to someone who asks for the patient by name ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Developers have full access to production phi at all times.

We are a small company but have our software in over 100 large hospitals. Our developers have full read-write access to all data in the production environment from the day they start (all environments actually). We also have un-encrypted / un-scrambled data in our stage and our certification environments. Each developer has 2 domain accounts, both have full read-write access to all data, an administrative account allows ...more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Homegrown database

Looking to create a database for managing patient information - not accessible to patients or non-clinical staff. The data will be MD5 encrypted end to end. Any thoughts from what has been done by others?

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Could a covered entity ever create a non-covered mobile app?

If a health care provider who is a covered entity were to create a general fitness/wellness app and silo off any collected data from their covered operations, could it be a valid hybrid entity? For instance, if a hospital creates a free meditation app but does not prescribe it as treatment, nor convey any data the app ingests back to medical professionals or EMRs, must the app still be HIPAA compliant? What are the criteria ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

virtual job board interpreter services

Healthcare providers place requests for interpreter services on a web portal that the state agency leases from a private vendor. Interpreters then log into the web portal to fish for appointments. They can access the web portal from their computers or mobile devices and do so frequently at public places such as coffee houses, libraries, waiting rooms, etc. where there is no expectation of privacy. All appointments are ...more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

How granular should logs be in saving access-to-PHI events?

As a software developer in the role of business associate I have read about what needs to be captured and stored by software that handles PHI for a covered entity. To be a good vendor, we want to provide our customer the requisite log data about user credentialing (adds, permissions, changes, disables, deletes), and about PHI activity within our software product. We currently log all changes to PHI made by our product. ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

How to handle old emails

I'm a web designer and have a client who has recently become hipaa compliant concerning his handling of email. He needed me to search his old emails from about 6 years ago for a certain file. Though he no longer uses that email address, the emails were still in webhosts database, and they were never hipaa compliant. He was wondering if he should just delete those old emails, since they are not hipaa compliant we thought ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Surveillance Cameras and HIPAA

The mental health organization I am working with wants to install cameras in an area where people receive services (so they are identified by face and as being in need of the service provided). The organization will have an app to monitor camera activity etc but they want an existing telecommunications company to install and maintain the cameras and the video/images. The company they have chosen has never and will not ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

iOS keychains for saving pass/access token is HIPAA complaint?

I am building a mobile application to facilitate the patients and I am accessing the PHI through RESTful web apis.

I want to clarify one thing that I surfed a lot on google recently is, if I save patient's password or access token for re-authentication in iOS keychains, then may I consider this approach or this would be vulnerable to save the passwords in iOS keychains and violates HIPAA compliance act?

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Is a state-run MMJ registry a covered entity?

Is a state-run medical marijuana patient registry a covered entity? The Florida registry includes identifiable patient personal information and MMJ "prescription" information that is passed from the physician, to the DOH, to dispensing retail locations. Any physician, law enforcement officer, or retail location employee can find and view any patient's information. Here is the Florida physician user manual: http://www.flhealthsource.gov/ommu/forms/registry-user-guide-physician.pdf ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Is my App following acceptable security protocol through HIPPA?

I email addresses of the users of the app, which are all doctors not patients, for authentication purposes. The application uses SSL encryption for transmission of data between a user's phone and the backend servers. The data is not currently encrypted on the server, but will become encrypted in a future version. Security around the data is restricted such that a user can only access their own data and is not accessible ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Whether App is transmitting and storing PHI?

I have mobile application for tracking physician compensation, and I'm not sure if it contains data points separately or together which would be considered PHI under HIPAA. The application is designed to help a physicians track procedures they perform. This app helps doctors keep tabs on their case log. The information collected is date of case, age of patient (but range, i.e age 1-5), date billing was submitted, diagnoses ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

online social communities sponsored by a covered entity

We are a covered entity, and developing an online education program for a medical condition. Only registered/approved users are able to join view pages. So it may be assumed that a user has the medical condition, but the site does not require that users identify themselves to others. Users will have the option to enter PHI in a secured profile (hipaa compliant...), but can elect not to enter any info. The users will ...more »

Voting

2 votes
2 up votes
0 down votes