Can organizations adopt the less stringent password measures recently updated in NIST 800-63-B and still be compliant under the HIPAA security rule?
We have a communication platform where providers, patients, family members can connect and communicate securely. The patient can set their own preferences around how they receive notifications about types of messages, and from whom in the app. We would like to send the patient a push notification so they are aware there is a new message in the app. We can send a push notification that says" There is a new message in the ...more »
When implementing external services with clients (such as exposing an API to external clients), are there any HIPAA rules/regulations around testing the implementation in a non-prod environment before going live in production? Are there any concerns with PHI or security with testing an implementation (of say an API with an external client) directly in a production environment?
I have a web application that allows a patient and a doctor to create an account. the patient can upload his medical history and associate scanned files to his account. the patient then selects a doctor within the web application and invites him to have a look at his case files. we are hosting this on a hipaa compliant environment under a BAA agreement. I am the only administrator who manages the system and I manage ...more »
I just heard that a practice in our area had a ransomware attack. Based upon their investigation their manager stated that the hacker did not get access to the PHI data and therefore did not need to report to patients or the Dept. of HHS. I question their judgement since I'm not certain if they can tell even tell if the only thing the hacker did was lock them out access to their patient PHI and didn't also create an ...more »
I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance ...more »
This was addressed on your old FAQ page for a number of years and it seems to have disappeared. Can "open format" postcards still be used to remind patients of upcoming appointments as long as HIPAA's minimum necessary standard is observed? Something like, "Dear Sue, We would like to remind you of your upcoming appointment on Tuesday, September 12th at 2:20 pm"?
I'm working on a free web application for use by healthcare providers that tracks the usage of antibiotics. I intend to make the application available to anyone as a tool without entering into any formal agreements. The tool would track such information as: facility census, medication name, dosage, date given, etc. patient age, gender, height, weight, etc. The tool would NOT use identifying information such as name, ...more »
Can someone tell me if a simple contact form on a health providers website needs to be HIPAA compliant if it is only requesting information like name, email, number, and a comment of interest in services?
We're a non profit organisation seeking to deploy an open-source health management application for use. We classify as a Business Associate as we provide services for a health care provider under HIPAA. We urgently need to know what exactly are the requirements a health information system needs to meet in order to satisfy HIPAA. It would be helpful to know if there's some document or checklist to work with. We'd also ...more »
I'm working on an app for a therapist to send a list of exercises to their patient's mobile device from their desktop for the patient to perform at home. The therapist can view if the patient is checking off their exercises and reporting thier completion each day. No information is being transmitted in regards to the patient's diagnosis or condition, only the list of exercises to be performed at home and the patient's ...more »
Hi, For a mobile chatbot health app that reads, transfers and stores (within and outside mobile phone in a cloud based server) sensor generated time series data of patients/consumers activities, events, etc.. which includes all data that can be captured by a mobile phone's, accelerometer, light, other sensors without patient/consumer intervention, can such sensor generated data be classified as personal identifiable information ...more »