Answered Questions


Birthweights/Ages

Community Member

Certain pediatric tasks require fairly precise ages, for example when evaluating jaundice one must know a baby's age in hours. What precautions...

Net Votes: 1 Number of Comments: 1

When are end-user disclosures to...

Community Member

I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services...

Net Votes: 1 Number of Comments: 3

Clarify the definition of PHI fo...

Community Member

I see a great deal of variation from organization to organization on what constitutes PHI in the digital realm. I have several scenarios that I...

Net Votes: 1 Number of Comments: 2

What is BAA to do with stored pa...

Community Member

The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patien...

Net Votes: 1 Number of Comments: 3

Offshore development and custome...

Community Member

Does HIPAA have any restrictions on offshore development and/or customer support functions if the parent company is based in U.S. and/or if the ...

Net Votes: 1 Number of Comments: 1

Are we HIPAA compliant distribut...

Community Member

We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc...

Net Votes: 1 Number of Comments: 1

Scanning and Penetration Testing

Community Member

Do entities need to run internal and external vulnerability scanning be HIPAA compliant? Do entities have to run penetration tests to ensure com...

Net Votes: 2 Number of Comments: 1

Data Masking in EMR

Community Member

Data masking or controlled access provides a means for patients to control disclosure of select information within the

EHR. Net Votes: 0 Number of Comments: 1

HIPAA E-Signature Requirements

Community Member

We are a small organization starting up a tele-health initiative. We would like to deliver a copy of our Notice of Privacy Practices electronica...

Net Votes: 3 Number of Comments: 1

Logging Activity within an Appli...

Community Member

In order to be HIPAA compliant, should all activity that occurs with in an app be logged, or should activity that exceeds the normal threshold b...

Net Votes: 3 Number of Comments: 1

Provider suggested use of an App...

Community Member

A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness p...

Net Votes: 1 Number of Comments: 1

Unencrypted PHI in the Cloud

Community Member

From Kevin Wiggins, Saul Ewing: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some d...

Net Votes: 1 Number of Comments: 2

Sale of Data Collected by a Cons...

Community Member

We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-...

Net Votes: 3 Number of Comments: 2

Are We a Covered Entity?

Community Member

A business associate provides no medical advice, medical services, medical devices, etc. But it talks to patients of the covered entity. Those...

Net Votes: 1 Number of Comments: 2

PHI Data on Offline Devices

Community Member

Remote devices may not have access to the internet at all times and therefore may be operating offline. Data must be stored on the devices unti...

Net Votes: 4 Number of Comments: 2

Cloud Security

Community Member

What are the suggested encryption protocols that one should implement in order to fulfill the 164.312(a)(2)(iv)

 

Have you impl...

Net Votes: 5 Number of Comments: 2

Are Cloud Storage providers BAs?

Community Member

Is a company that provides encrypted cloud storage for a covered entity a BA if it does not have the encryption key and has no ability to access...

Net Votes: 2 Number of Comments: 2

Risk Assessment Tool

Community Member

Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are ...

Net Votes: 3 Number of Comments: 1

HIPAA Training

Community Member

Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their...

Net Votes: 3 Number of Comments: 1

Audits

Community Member

With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR...

Net Votes: 5 Number of Comments: 3

Which video chat apps are HIPAA-...

Community Member

Is Skype or any other video chat app HIPAA-compliant? Which video chat apps can currently be used for telehealth treatment activities involving ...

Net Votes: 1 Number of Comments: 2

does an online appointment sched...

Community Member

I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need...

Net Votes: 4 Number of Comments: 7

Developer and HIPAA

Community Member

Assume you have a software company that will be using a smartphone application and related device to record and store arguably protected health ...

Net Votes: 2 Number of Comments: 5

De-identification of individuals...

Community Member

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de...

Net Votes: 3 Number of Comments: 2

Teaching Hospitals and HIPAA Pri...

Community Member

I work for a University medical school that employs physicians as faculty and who teach at the hospital. I would like to know more about how fa...

Net Votes: 2 Number of Comments: 1

Are we a covered entity?

Community Member

How can we determine if we’re a covered entity? The resources to make that determination are expensive – i.e. law firms

Net Votes: 5 Number of Comments: 5

Cloud computing

Community Member

Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many ...

Net Votes: 3 Number of Comments: 2

What part of the environment has...

Community Member

Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they u...

Net Votes: 5 Number of Comments: 2

Help with business associate agr...

Community Member

There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics deve...

Net Votes: 5 Number of Comments: 3

Can HIPAA address patient genera...

Community Member

Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered...

Net Votes: 6 Number of Comments: 10

How should developers execute au...

Community Member

Right now, developers expend a lot of time and resources (including the cost of data storage) on audit logging but don’t have assurance that the...

Net Votes: 4 Number of Comments: 2