Developers and HIPAA

Submitted by

Can HIPAA address patient generated data?

Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.

Voting

6 votes
6 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

Help with business associate agreements

There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics developers care about, such as cloud storage & PGHD, and a lack of bargaining power on the part of startups. This has led to many challenges for the industry, resulting in high legal fees which may be a barrier to entry for many companies. HHS should issue sample BAA language around ...more »

Voting

5 votes
5 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

What part of the environment has to be compliant?

Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use an API to store certain kinds of data? If you’re building modern technologies, you’re relying on a lot of third party (likely API) based services; mostly cloud based services. So which aspects of those need to be compliant?

Voting

5 votes
5 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

Audits

With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding ...more »

Voting

5 votes
6 up votes
1 down votes
Answered Questions

Developers and HIPAA

Submitted by

does an online appointment scheduler need to abide by HIPAA?

I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The ...more »

Voting

4 votes
4 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

Cloud computing

Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cases. Health technology companies are typically now 100 percent cloud-based. Many clients are doing some type of data analytics work, or offer cloud-based EHRs and medical devices. HHS should provide good guidance for companies that are cloud based and virtual. Most companies ...more »

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

De-identification of individuals' information

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified ...more »

Voting

3 votes
3 up votes
0 down votes
Answered Questions

Developers and HIPAA

Submitted by

HIPAA Training

Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their employees receive meets the standards expected by OCR. Similar to the practices of OSHA, can OCR provide a standardized training program on key HIPAA issues?

Voting

3 votes
3 up votes
0 down votes
Answered Questions