A software company (e.g. a startup) develops an untethered PHR that is offered directly to the patient (consumer). The patient then authorizes PHR to "request" and "pull" (on behalf of patient) all records from all portals offered by healthcare provider EHRs (e.g. by Epic (MyChart), Cerner,...etc). The PHR gets access to all portals using logon credentials provided by the patient (e.g. patient provides all usernames and... more »
Developers and HIPAA
Are there any specific requirements that we should keep in mind when putting together a solution to provide PHI to a customer via a chat channel? Would it even be feasible? Assuming customer is identified (previously registered or asked to provide dob or some personal information
You have an app to manage chronic care that is primarily driven by the patient and requires patient persmission to share any data, but where providers can enter some data, such as messages, or some information related to the patient's medication. The system is offered independently from a covered entity. Just because providers enter some PHI in the system, are you seen as a BA covered, or you are not a BA as long as... more »
I have a web application that allows a patient and a doctor to create an account. the patient can upload his medical history and associate scanned files to his account. the patient then selects a doctor within the web application and invites him to have a look at his case files. we are hosting this on a hipaa compliant environment under a BAA agreement. I am the only administrator who manages the system and I manage... more »
We have a communication platform where providers, patients, family members can connect and communicate securely. The patient can set their own preferences around how they receive notifications about types of messages, and from whom in the app. We would like to send the patient a push notification so they are aware there is a new message in the app. We can send a push notification that says" There is a new message in the... more »
Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cases. Health technology companies are typically now 100 percent cloud-based. Many clients are doing some type of data analytics work, or offer cloud-based EHRs and medical devices. HHS should provide good guidance for companies that are cloud based and virtual. Most companies... more »
Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service? Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified... more »
Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their employees receive meets the standards expected by OCR. Similar to the practices of OSHA, can OCR provide a standardized training program on key HIPAA issues?
Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are unable to use the current security risk assessment tool because they believe it is needlessly cumbersome, redundant, and designed for Covered Entities. Do you recommend that Business Associates start to use private tools instead of the current tool for risk assessments? If so,... more »
If a patient acknowledges receipt of a Notice of Privacy Practices when admitted to a Hospital, does the Hospital-owned outpatient pharmacy using the same electronic software have to provide a second Notice and obtain patient acknowledgement again? Can the original notice cover all outpatient departments under Hospital ownership?
Private Practice Physicians have the opportunity by contracting with a large health care entity to get into electronic health records EHR. In wanting to satisfy the continuum of care one practice can see any treatment provided by another provider for their patient. They can access diagnostics within the health care entities network. All good things! My concern, though users sign off on a confidentiality agreement... more »
We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-identify the information the app collects to sell to third parties. Do we follow the same HIPAA de-identification processes that a covered entity or business associate would follow?
In order to be HIPAA compliant, should all activity that occurs with in an app be logged, or should activity that exceeds the normal threshold be logged? For instance, users that access information in the application routinely during the course of their work day will evince a regular level of activity. The activity will indicate routine access of sensitive information. Should the log contain all of the users activity,... more »
We are a small organization starting up a tele-health initiative. We would like to deliver a copy of our Notice of Privacy Practices electronically and have patients acknowledge receipt via check box prior to completing our online intake forms. This method is used for acceptance when one downloads software online. We are having a difficult time understanding the requirements for this. Can it be a check box and/or typed... more »
I am a student creating an app for school project. I was wondering if I have to be HIPAA compliant. I am creating an app, where diabetics can store their glucose and calculate insulin dosage. None of the information will be sent to hospitals or physicians. How would HIPAA work in this case? Thank you ahead.