Developers and HIPAA

Submitted by

Is a BAA required with SMS service

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed ...more »

Voting

6 votes
6 up votes
0 down votes

Developers and HIPAA

Submitted by

Is a BAA required with SMS service

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed ...more »

Voting

6 votes
6 up votes
0 down votes

Developers and HIPAA

Submitted by

De-identification of individuals' information

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified ...more »

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

Are CSPs that don't enforce ToS tacitly accepting a BA role?

I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance ...more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Submitted by

When are end-user disclosures to a subcontractor not incidental?

I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services such as customer support ticketing that aren't meant to collect PHI, but may incidentally. (E.g. "[Covered entity] entered my profile information wrong and I don't know how to change it. It should say...") These subcontractors meet the NIST definition of a cloud service provider, ...more »

Voting

1 vote
1 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

Surveillance Cameras and HIPAA

The mental health organization I am working with wants to install cameras in an area where people receive services (so they are identified by face and as being in need of the service provided). The organization will have an app to monitor camera activity etc but they want an existing telecommunications company to install and maintain the cameras and the video/images. The company they have chosen has never and will not ...more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Submitted by

Surveillance Cameras and HIPAA

The mental health organization I am working with wants to install cameras in an area where people receive services (so they are identified by face and as being in need of the service provided). The organization will have an app to monitor camera activity etc but they want an existing telecommunications company to install and maintain the cameras and the video/images. The company they have chosen has never and will not ...more »

Voting

1 vote
1 up votes
0 down votes