I just heard that a practice in our area had a ransomware attack. Based upon their investigation their manager stated that the hacker did not get access to the PHI data and therefore did not need to report to patients or the Dept. of HHS. I question their judgement since I'm not certain if they can tell even tell if the only thing the hacker did was lock them out access to their patient PHI and didn't also create an... more »
When implementing external services with clients (such as exposing an API to external clients), are there any HIPAA rules/regulations around testing the implementation in a non-prod environment before going live in production? Are there any concerns with PHI or security with testing an implementation (of say an API with an external client) directly in a production environment?
The introduction of FHIR to the 2015 CEHRT has opened the door for 3rd party applications to receive patient health information directly from an EHR without an agreement in place between the health care provider or the EHR vendor. Even though the patient has selected it, shouldn't the 3rd party app be responsible for the protection of the patient's health information and be held to the same standards as the EHR vendor?... more »
The topic came up in a planning session around the point in time when a PR becomes a PR. Let's say we are writing an app for first responders. If the user collects name, date of birth, and vital signs. Does the PR become legally protected as soon as the First name is collected, or is there some threshold of data size(fields, values, etc.) that indicates that the PR has been created in legal terms for HIPPA protection?... more »
Healthcare providers place requests for interpreter services on a web portal that the state agency leases from a private vendor. Interpreters then log into the web portal to fish for appointments. They can access the web portal from their computers or mobile devices and do so frequently at public places such as coffee houses, libraries, waiting rooms, etc. where there is no expectation of privacy. All appointments are... more »
I am wondering regarding the need to have a BAA with suppliers that do not store medical data but have data that can lead to medical information like IAM cloud services or services for password management (LastPass or 1 password)
there is no medical information that I transfer but I store user and password to my Medical DB for instance
I'm developing a calculator type app for a friend of mine who works at a skilled nursing facility. She works as a therapist and regularly needs to split the total amount of time she needs to work with her patients into multiple sessions, often switching back and forth between patients. I'm developing the app to automate the task of her writing down when she starts and ends each session with each of per patients... and... more »
Having a hard time finding clarity on cloning access in medical applications. This is an internal question to an organization. If I create an application for users that contains a lot of PHI, am I allowed to use cloning to give access to the users? For example, if a user is a pharmacist and another pharmacist in a different pharmacy requests access, can I give them the option on the request form to clone the other... more »
I believe this question is covered in the developer guidance (page 3), but as this document is 3+ years old, I was trying to determine if further guidance is available or if anything has changed with the decisions. We provide patient monitoring services to covered entities and enter into contracts/BAA's with them. One of these physicians is interested in providing a wearable tracker to his patients - the wearable would... more »
One of our physicians requested the use of a website which requires a patient to create an account, then the physician can add medical information about that individual, so the individual can then filter an e-commerce platform to make purchases that are consistent with their medical conditions. As we would be offering the service to patients and uploading the PHI, this would fall under a business associate relationship.... more »
Does OCR recommend any guides to developers to help them evaluate different kinds of cyberinsurance policies and to determine what types and levels of insurance are needed depending on the application they have developed and for general company compliance?
I work for a software manufacturer that produces software that interfaces our customers various clinical systems to their EHR's and other applications. We do not store, maintain, transmit or manage PHI for our customers. We do configure their HIT interfaces that manage, transmit and modify PHI. Our technicians also routinely see PHI as they are helping customers troubleshoot issues and perform configuration changes.... more »
Can someone tell me if a simple contact form on a health providers website needs to be HIPAA compliant if it is only requesting information like name, email, number, and a comment of interest in services?
I'm working on a free web application for use by healthcare providers that tracks the usage of antibiotics. I intend to make the application available to anyone as a tool without entering into any formal agreements. The tool would track such information as: facility census, medication name, dosage, date given, etc. patient age, gender, height, weight, etc. The tool would NOT use identifying information such as name,... more »
Can organizations adopt the less stringent password measures recently updated in NIST 800-63-B and still be compliant under the HIPAA security rule?