What is the intent of this site? OCR rarely, if ever comments on questions, some of which could really help HIPAA regulated organizations and developers interpret the Privacy and Security rules.
If a DME supplier, vitamin supplier, text reminder application, auto payment system for patient accounts, or a website management company collects PHI data via a web portal are they considered a Business Associate? For example, the company has created a web portal or downloadable software application that requires internet access, with fields that collect data, and that data helps the provider manage patient custom... more »
Does developing an algorithm/machine learning system that uses PHI from EMR to predict and alert providers to negative health outcomes constitute research or a health care operation under HIPAA?
Many third party tools exist for Continuous Integration and Continuous Development (CI/CD). While an organization may maintain a BAA with their public cloud provider; many of these third party tools do not offer, nor will they engage in a BAA with customers. Is a BAA required for the use of these tools, specifically when these tools are handling the compiling, build pipelines for code sources and virtualization container... more »
Is an app for people to share STD test results by taking a picture of the STD test results and getting a scannable QR code covered by HIPAA, HITECH or other laws/regulations?
We have a computer that will never have network access, it is completely stand alone. It is used to process x-rays and then burn the data to CD. Does this computer still need to have a compliant OS on it?
We provide support to healthcare provider while accessing server and clients.
The healthcare server DB stores ePHI (Only medical record number).
As part of our support we are potentially exposed to the mentioned ePHI.
We do not extract ePHI nor download locally.
The question is:
Do we need to be HIPPA compliant?
Our company allows employees to have company email on our BYOD's we are wonder what is needed to insure our email, and mobile devices are HIPPA compliant.
We are trying to send medical data from clinics to an Amazon S3 service via an https connection (using an API). The S3 is configured with a policy for complying with HIPAA guidelines. The question I have is - If https communication to S3 is implemented with complying encryption standards, is the solution to transport data HIPAA compliant?
One of our physicians requested the use of a website which requires a patient to create an account, then the physician can add medical information about that individual, so the individual can then filter an e-commerce platform to make purchases that are consistent with their medical conditions. As we would be offering the service to patients and uploading the PHI, this would fall under a business associate relationship.... more »
I believe this question is covered in the developer guidance (page 3), but as this document is 3+ years old, I was trying to determine if further guidance is available or if anything has changed with the decisions. We provide patient monitoring services to covered entities and enter into contracts/BAA's with them. One of these physicians is interested in providing a wearable tracker to his patients - the wearable would... more »
Having a hard time finding clarity on cloning access in medical applications. This is an internal question to an organization. If I create an application for users that contains a lot of PHI, am I allowed to use cloning to give access to the users? For example, if a user is a pharmacist and another pharmacist in a different pharmacy requests access, can I give them the option on the request form to clone the other... more »
I'm developing a calculator type app for a friend of mine who works at a skilled nursing facility. She works as a therapist and regularly needs to split the total amount of time she needs to work with her patients into multiple sessions, often switching back and forth between patients. I'm developing the app to automate the task of her writing down when she starts and ends each session with each of per patients... and... more »
I am wondering regarding the need to have a BAA with suppliers that do not store medical data but have data that can lead to medical information like IAM cloud services or services for password management (LastPass or 1 password)
there is no medical information that I transfer but I store user and password to my Medical DB for instance
Can someone elaborate on what is allowed for facility directories under 164.510? The regulations say the directory can give the recipient the location of the patient (assuming all other requirements are met)? Can a covered entity (or its business associate) also give directions to the location? Can those directions be transmitted electronically (e.g., via e-mail or otherwise) to someone who asks for the patient by name... more »