Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.
Developers and HIPAA
There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics developers care about, such as cloud storage & PGHD, and a lack of bargaining power on the part of startups. This has led to many challenges for the industry, resulting in high legal fees which may be a barrier to entry for many companies. HHS should issue sample BAA language around... more »
How can we determine if we’re a covered entity? The resources to make that determination are expensive – i.e. law firms
Assume you have a software company that will be using a smartphone application and related device to record and store arguably protected health information. 1. Assume the software company stores the information on its own servers. The company is not subject to HIPAA (privacy or security rules) because it isn't a covered entity or a business associate of a covered entity, correct? 2. Now assume that the software... more »
I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The... more »
I am in the process of working with a hospital that is using a marketing software product to integrate forms into a new website project. We have recently got into the discussion regarding HIPAA compliance. It turns out the product's forms are not HIPAA compliant. With that being said the information being captured by these forms on the site are not intended to be capturing medical information. The purpose of these forms... more »
With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding... more »
What are the suggested encryption protocols that one should implement in order to fulfill the 164.312(a)(2)(iv)
Have you implemented a mechanism to encrypt and decrypt EPHI?
There is currently a lack of clarity about whether patient consent to communicate via (unencrypted) SMS is adequate to protect covered entities from HIPAA concerns. HHS (and medical research) has released data supported use of non-encrypted SMS, given its high accessibility to patients and its efficacy in achieving behavior change (e.g. medication compliance, smoking cessation). Many covered entitites feel that this... more »
Private Practice Physicians have the opportunity by contracting with a large health care entity to get into electronic health records EHR. In wanting to satisfy the continuum of care one practice can see any treatment provided by another provider for their patient. They can access diagnostics within the health care entities network. All good things! My concern, though users sign off on a confidentiality agreement... more »
I understand there is some ambiguity regarding providers communicating PHI with patients, and I'm having some trouble interpreting how it applies to me. My provider developed software to engage patients via unencrypted SMS. My provider's medical practitioners will determine a patient is in need of monitoring and will develop or reuse a workflows to regularly request defined PHI from patients--such as diastolic and systolic... more »
Right now, developers expend a lot of time and resources (including the cost of data storage) on audit logging but don’t have assurance that they are in compliance. Could HHS provide an open source library of code to help developers understand how to execute audit logging.
Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use an API to store certain kinds of data? If you’re building modern technologies, you’re relying on a lot of third party (likely API) based services; mostly cloud based services. So which aspects of those need to be compliant?
Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cases. Health technology companies are typically now 100 percent cloud-based. Many clients are doing some type of data analytics work, or offer cloud-based EHRs and medical devices. HHS should provide good guidance for companies that are cloud based and virtual. Most companies... more »
Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified... more »