Developers and HIPAA

Sale of Data Collected by a Consumer Targeted App

We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-identify the information the app collects to sell to third parties. Do we follow the same HIPAA de-identification processes that a covered entity or business associate would follow?

Voting

3 votes
3 up votes
0 down votes

Developers and HIPAA

Does HIPAA extend to untethered PHRs?

A software company (e.g. a startup) develops an untethered PHR that is offered directly to the patient (consumer). The patient then authorizes PHR to "request" and "pull" (on behalf of patient) all records from all portals offered by healthcare provider EHRs (e.g. by Epic (MyChart), Cerner,...etc). The PHR gets access to all portals using logon credentials provided by the patient (e.g. patient provides all usernames and... more »

Voting

4 votes
4 up votes
0 down votes

Developers and HIPAA

Is a BAA required with SMS service

If my provider is communicating PHI and non-PHI with patients through a 3rd party SMS service, such as Twilio, would my provider be required to sign a BAA with an SMS service company or such a company be classified as a conduit? We are sending encrypted data to the SMS service which is then sending unencrypted SMSs to patients. Patients can then potentially respond to those SMSs via unencrypted SMS which would be directed... more »

Voting

7 votes
7 up votes
0 down votes

Developers and HIPAA

What is BAA to do with stored patient health info

The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patients, provide a patient portal, etc. - classic practice management tasks. The EHR vendor has a BAA with a company which hosts its web application and the encrypted database. My question is, what happens to the PHC's electronically stored ePHI if the PHC's account is cancelled and/or... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

When are end-user disclosures to a subcontractor not incidental?

I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services such as customer support ticketing that aren't meant to collect PHI, but may incidentally. (E.g. "[Covered entity] entered my profile information wrong and I don't know how to change it. It should say...") These subcontractors meet the NIST definition of a cloud service provider,... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

web based CASE Management Tool

I have a web application that allows a patient and a doctor to create an account. the patient can upload his medical history and associate scanned files to his account. the patient then selects a doctor within the web application and invites him to have a look at his case files. we are hosting this on a hipaa compliant environment under a BAA agreement. I am the only administrator who manages the system and I manage... more »

Voting

4 votes
4 up votes
0 down votes

Developers and HIPAA

Are We a Covered Entity?

A business associate provides no medical advice, medical services, medical devices, etc. But it talks to patients of the covered entity. Those patients tell the business associate what prescriptions they have for prescription drugs and when they must be refilled. The business associate faxes the refill request to the pharmacy. Does that make the business associate a covered entity?

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

EHR software partners uses third party API

Our EHR solution is partnering with another health related software company with a cloud based API product to provide additional solutions for providers. This is a seamless connection. Some PHI would be stored on the API cloud based system while our EHR would also store PHI either on the client server or the cloud. I have several questions. I am assuming that the business associate between our clients/providers... more »

Voting

4 votes
4 up votes
0 down votes

Developers and HIPAA

Unencrypted PHI in the Cloud

From Kevin Wiggins, Saul Ewing: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some data remanence, thus leaving PHI on the Cloud. NIST Special Publication 800-80 addresses this by suggesting CEs use crypto-erase. What if the CE previously sent unencrypted PHI to the Cloud? Is it as simple as extending the protections of the contract to the information and... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Chat requirements

Are there any specific requirements that we should keep in mind when putting together a solution to provide PHI to a customer via a chat channel? Would it even be feasible? Assuming customer is identified (previously registered or asked to provide dob or some personal information

 

Thanks

Voting

4 votes
4 up votes
0 down votes

Developers and HIPAA

Are CSPs that don't enforce ToS tacitly accepting a BA role?

I am a compliance consultant, seeing an increasing amount of concern from cloud service providers about customers/users sharing PHI via their platforms in clear violation of Terms of Service. (Depending on the platform, customers/users range from individuals to business associates to covered entities.) Specifically, the CSPs are concerned about whether allowing accounts in violation to remain active is somehow tacit acceptance... more »

Voting

2 votes
2 up votes
0 down votes

Developers and HIPAA

Audit logging requirements for secure messaging

We have implemented a secure text messaging service for our application. It is quite possible that our customers will communicate ePHI to us using this secure service. Are we required to audit log all messages along with who read the message just in case some of the messages may have ePHI in them?

Voting

2 votes
2 up votes
0 down votes