Can organizations adopt the less stringent password measures recently updated in NIST 800-63-B and still be compliant under the HIPAA security rule?
Many covered entitites feel that this... more »
We are an Italian software house and we would like to commercialize our software for Videodermatoscopy in USA.
Before that we would be sure that our software is HIPPA compliant because it stores patient's health information such as: name, surname, address, phone number, information about health status and specific information about patient's diseasies, photos of the patient and its mole, therapies, etc.etc.... more »
Is a nonprofit EMS company (501c3) required to have a notice of privacy practices if it is an emergency response group? What aspects of HIPAA are applicable to a nonprofit EMS group?
Does OCR recommend any guides to developers to help them evaluate different kinds of cyberinsurance policies and to determine what types and levels of insurance are needed depending on the application they have developed and for general company compliance?
Can someone tell me if a simple contact form on a health providers website needs to be HIPAA compliant if it is only requesting information like name, email, number, and a comment of interest in services?
medication name, dosage, date given, etc.
patient age, gender, height, weight, etc.
The tool would NOT use identifying information such as name,... more »
We are scheduling patients through an online scheduling app. We've been told patients are de-identified if we only use the first three letters of their first and last name for the scheduling portal. Could you confirm whether or not this is HIPAA compliant?
I am wondering regarding the need to have a BAA with suppliers that do not store medical data but have data that can lead to medical information like IAM cloud services or services for password management (LastPass or 1 password)
there is no medical information that I transfer but I store user and password to my Medical DB for instance
We provide support to healthcare provider while accessing server and clients.
The healthcare server DB stores ePHI (Only medical record number).
As part of our support we are potentially exposed to the mentioned ePHI.
We do not extract ePHI nor download locally.
The question is:
Do we need to be HIPPA compliant?
We have a question regarding a vendor that claims that they don't need a BAA as they are a "conduit" and are exception. Is there someone at the OCR that could help us adjudicate this problem?