Developers and HIPAA

Are CSPs that don't enforce ToS tacitly accepting a BA role?

I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance ...more »

Submitted by
Add your comment

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor)

What is your organization? : Small company, Attorney/other compliance consultant

Voting

0 votes
0 up votes
0 down votes

Developers and HIPAA

When are end-user disclosures to a subcontractor not incidental?

I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services such as customer support ticketing that aren't meant to collect PHI, but may incidentally. (E.g. "[Covered entity] entered my profile information wrong and I don't know how to change it. It should say...") These subcontractors meet the NIST definition of a cloud service provider, ...more »

Submitted by
3 comments

Who are your customers? Check all that apply : Business associates (operates on behalf of/provides service to health care provider/health plan, e.g., an EHR vendor)

What is your organization? : Attorney/other compliance consultant

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Developers and HIPAA

Is a BAA required with SMS service

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed ...more »

Submitted by
1 comment

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit

Voting

4 votes
4 up votes
0 down votes

Developers and HIPAA

Is a BAA required with SMS service

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed ...more »

Submitted by
1 comment

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Health care provider or health plan, Not for profit

Voting

4 votes
4 up votes
0 down votes

Developers and HIPAA

De-identification of individuals' information

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified ...more »

Submitted by
2 comments

Who are your customers? Check all that apply : Patients/Individuals/Consumers

What is your organization? : Attorney/other compliance consultant

Voting

3 votes
3 up votes
0 down votes
Answered Questions