kudos icon +

Developers and HIPAA

Are we HIPAA compliant distributed team. Implemented

We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc. Is it a requirement that we purchase and make all of our employees use only their work computers for development and access to our db? It's understood that we need a robust password policies and defined lists of who has access to any sensitive data where ever they may be.

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

Scanning and Penetration Testing Implemented

Do entities need to run internal and external vulnerability scanning be HIPAA compliant? Do entities have to run penetration tests to ensure compliance? Reading §164.312(e)(2)(i) it seems that 'security measures' could include these tests, but does not specify a requirement for it.

Additionally, a risk analysis could identify that these services would help to reduce the risk, threats and vulnerabilities in-scope systems,... more »

Voting

2 votes
2 up votes
0 down votes
kudos icon +

Developers and HIPAA

Offshore development and customer support Implemented

Does HIPAA have any restrictions on offshore development and/or customer support functions if the parent company is based in U.S. and/or if the foreign entity is owned and/or controlled by an entity based in U.S.?

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

What is BAA to do with stored patient health info Implemented

The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patients, provide a patient portal, etc. - classic practice management tasks. The EHR vendor has a BAA with a company which hosts its web application and the encrypted database. My question is, what happens to the PHC's electronically stored ePHI if the PHC's account is cancelled and/or... more »

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

Clarify the definition of PHI for online consumer interactions Implemented

I see a great deal of variation from organization to organization on what constitutes PHI in the digital realm. I have several scenarios that I'd like your thought on:
- Is public website browsing behavior considered PHI as is suggested in the current Winston Smith V. Facebook case (http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=2175&context=historical)? This could impact a number of common services used... more »

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

When are end-user disclosures to a subcontractor not incidental? Implemented

I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services such as customer support ticketing that aren't meant to collect PHI, but may incidentally. (E.g. "[Covered entity] entered my profile information wrong and I don't know how to change it. It should say...") These subcontractors meet the NIST definition of a cloud service provider,... more »

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

Cloud computing Implemented

Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cases. Health technology companies are typically now 100 percent cloud-based. Many clients are doing some type of data analytics work, or offer cloud-based EHRs and medical devices. HHS should provide good guidance for companies that are cloud based and virtual. Most companies... more »

Voting

3 votes
3 up votes
0 down votes
kudos icon +

Developers and HIPAA

Audits Implemented

With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding... more »

Voting

5 votes
6 up votes
1 down votes
kudos icon +

Developers and HIPAA

Web Based Portal HIPAA Requirements

If a DME supplier, vitamin supplier, text reminder application, auto payment system for patient accounts, or a website management company collects PHI data via a web portal are they considered a Business Associate? For example, the company has created a web portal or downloadable software application that requires internet access, with fields that collect data, and that data helps the provider manage patient custom... more »

Voting

3 votes
3 up votes
0 down votes
kudos icon 1

Developers and HIPAA

Can HIPAA address patient generated data? Implemented

Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.

Voting

6 votes
6 up votes
0 down votes
kudos icon +

Developers and HIPAA

Text messaging and HIPAA

There is currently a lack of clarity about whether patient consent to communicate via (unencrypted) SMS is adequate to protect covered entities from HIPAA concerns. HHS (and medical research) has released data supported use of non-encrypted SMS, given its high accessibility to patients and its efficacy in achieving behavior change (e.g. medication compliance, smoking cessation).

Many covered entitites feel that this... more »

Voting

23 votes
23 up votes
0 down votes
kudos icon +

Developers and HIPAA

Birthweights/Ages Implemented

Certain pediatric tasks require fairly precise ages, for example when evaluating jaundice one must know a baby's age in hours. What precautions are required to ensure that a birthdate cannot be inferred by usage data from an app that automates some of these tasks? For example, if a nurse enters in that a baby is 8 hours old, it seems a birthdate could be identified if the time of the nurse/app interaction was known.... more »

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

Desktop application for Videodermatoscopy

Godo morning,

We are an Italian software house and we would like to commercialize our software for Videodermatoscopy in USA.
Before that we would be sure that our software is HIPPA compliant because it stores patient's health information such as: name, surname, address, phone number, information about health status and specific information about patient's diseasies, photos of the patient and its mole, therapies, etc.etc.... more »

Voting

1 vote
1 up votes
0 down votes
kudos icon +

Developers and HIPAA

'Medical Info' field in attendance mobile app

We are working on a mobile app that tracks attendance for fitness instructors/martial arts schools. Instructors can create classes and save their students in them. Part of the data entered for a student includes a field called Med Info, which would be along the sorts "Has asthma" or "Allergic to peanuts" just to give general examples. This is done so instructors can be prepared and aware of any health conditions with... more »

Voting

1 vote
1 up votes
0 down votes