Developers and HIPAA

Ransomeware Attack

I just heard that a practice in our area had a ransomware attack. Based upon their investigation their manager stated that the hacker did not get access to the PHI data and therefore did not need to report to patients or the Dept. of HHS. I question their judgement since I'm not certain if they can tell even tell if the only thing the hacker did was lock them out access to their patient PHI and didn't also create an... more »

Voting

-1 votes
0 up votes
1 down votes

Developers and HIPAA

Implementations with external services & Testing

When implementing external services with clients (such as exposing an API to external clients), are there any HIPAA rules/regulations around testing the implementation in a non-prod environment before going live in production? Are there any concerns with PHI or security with testing an implementation (of say an API with an external client) directly in a production environment?

Voting

0 votes
0 up votes
0 down votes

Developers and HIPAA

Wearables provided by covered entity

I believe this question is covered in the developer guidance (page 3), but as this document is 3+ years old, I was trying to determine if further guidance is available or if anything has changed with the decisions. We provide patient monitoring services to covered entities and enter into contracts/BAA's with them. One of these physicians is interested in providing a wearable tracker to his patients - the wearable would... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Are all cookies considered identifiable?

One of our physicians requested the use of a website which requires a patient to create an account, then the physician can add medical information about that individual, so the individual can then filter an e-commerce platform to make purchases that are consistent with their medical conditions. As we would be offering the service to patients and uploading the PHI, this would fall under a business associate relationship.... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Web app records meds, but not identifiable to patient.

I'm working on a free web application for use by healthcare providers that tracks the usage of antibiotics. I intend to make the application available to anyone as a tool without entering into any formal agreements. The tool would track such information as: facility census, medication name, dosage, date given, etc. patient age, gender, height, weight, etc. The tool would NOT use identifying information such as name,... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

HIPAA Requirements for data cabling

I am looking to find a HIPAA regulation that tells me whether or not a healthcare facility needs to have all TIA/EIA-568-B certified data cables. I know this would fall under data integrity, but I cannot find where in HIPAA that it states that best practice or industry standards must be met.

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

Must a mobile app PHR be password protected

A covered entity provides test results to patients through a Patient Mobile App or a Website. Patients must request access and data is transmitted securely. Once the patient has custody of the PHI (as a downloaded report on the website, or as received data on the mobile device, is the Covered Entity responsible if the patient loses their own data? Is it required, for example, that the Mobile App be password protected?... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

HIPAA and FHIR

The introduction of FHIR to the 2015 CEHRT has opened the door for 3rd party applications to receive patient health information directly from an EHR without an agreement in place between the health care provider or the EHR vendor. Even though the patient has selected it, shouldn't the 3rd party app be responsible for the protection of the patient's health information and be held to the same standards as the EHR vendor?... more »

Voting

1 vote
1 up votes
0 down votes

Developers and HIPAA

When does a Patient Record(PR) become realized?

The topic came up in a planning session around the point in time when a PR becomes a PR. Let's say we are writing an app for first responders. If the user collects name, date of birth, and vital signs. Does the PR become legally protected as soon as the First name is collected, or is there some threshold of data size(fields, values, etc.) that indicates that the PR has been created in legal terms for HIPPA protection?... more »

Voting

1 vote
1 up votes
0 down votes