Answered Questions


Birthweights/Ages

Community Member

Certain pediatric tasks require fairly precise ages, for example when evaluating jaundice one must know a baby's age in hours. What precautions ar...

Net Votes: 1 Number of Comments: 1

When are end-user disclosures to...

Community Member

I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services su...

Net Votes: 1 Number of Comments: 3

Clarify the definition of PHI fo...

Community Member

I see a great deal of variation from organization to organization on what constitutes PHI in the digital realm. I have several scenarios that I'd ...

Net Votes: 1 Number of Comments: 2

What is BAA to do with stored pa...

Community Member

The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patients,...

Net Votes: 1 Number of Comments: 3

Offshore development and custome...

Community Member

Does HIPAA have any restrictions on offshore development and/or customer support functions if the parent company is based in U.S. and/or if the for...

Net Votes: 1 Number of Comments: 1

Are we HIPAA compliant distribut...

Community Member

We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc. I...

Net Votes: 1 Number of Comments: 1

Scanning and Penetration Testing

Community Member

Do entities need to run internal and external vulnerability scanning be HIPAA compliant? Do entities have to run penetration tests to ensure compli...

Net Votes: 2 Number of Comments: 1

Data Masking in EMR

Community Member

Data masking or controlled access provides a means for patients to control disclosure of select information within the EHR. http://www.nature.com/g...

Net Votes: 0 Number of Comments: 1

HIPAA E-Signature Requirements

Community Member

We are a small organization starting up a tele-health initiative. We would like to deliver a copy of our Notice of Privacy Practices electronically...

Net Votes: 3 Number of Comments: 1

Logging Activity within an Appli...

Community Member

In order to be HIPAA compliant, should all activity that occurs with in an app be logged, or should activity that exceeds the normal threshold be l...

Net Votes: 3 Number of Comments: 1

Provider suggested use of an App...

Community Member

A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness prov...

Net Votes: 1 Number of Comments: 1

Unencrypted PHI in the Cloud

Community Member

From Kevin Wiggins, Saul Ewing: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some data...

Net Votes: 1 Number of Comments: 2

Sale of Data Collected by a Cons...

Community Member

We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-ide...

Net Votes: 3 Number of Comments: 2

Are We a Covered Entity?

Community Member

A business associate provides no medical advice, medical services, medical devices, etc. But it talks to patients of the covered entity. Those pa...

Net Votes: 1 Number of Comments: 2

PHI Data on Offline Devices

Community Member

Remote devices may not have access to the internet at all times and therefore may be operating offline. Data must be stored on the devices until c...

Net Votes: 4 Number of Comments: 2

Cloud Security

Community Member

What are the suggested encryption protocols that one should implement in order to fulfill the 164.312(a)(2)(iv) Have you implemented a mechanism t...

Net Votes: 5 Number of Comments: 2

Are Cloud Storage providers BAs?

Community Member

Is a company that provides encrypted cloud storage for a covered entity a BA if it does not have the encryption key and has no ability to access th...

Net Votes: 2 Number of Comments: 2

Risk Assessment Tool

Community Member

Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are una...

Net Votes: 3 Number of Comments: 1

HIPAA Training

Community Member

Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their em...

Net Votes: 3 Number of Comments: 1

Audits

Community Member

With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is...

Net Votes: 5 Number of Comments: 3

Which video chat apps are HIPAA-...

Community Member

Is Skype or any other video chat app HIPAA-compliant? Which video chat apps can currently be used for telehealth treatment activities involving gen...

Net Votes: 1 Number of Comments: 2

does an online appointment sched...

Community Member

I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to...

Net Votes: 4 Number of Comments: 7

Developer and HIPAA

Community Member

Assume you have a software company that will be using a smartphone application and related device to record and store arguably protected health inf...

Net Votes: 2 Number of Comments: 5

De-identification of individuals...

Community Member

Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-id...

Net Votes: 3 Number of Comments: 2

Teaching Hospitals and HIPAA Pri...

Community Member

I work for a University medical school that employs physicians as faculty and who teach at the hospital. I would like to know more about how far t...

Net Votes: 2 Number of Comments: 1

Are we a covered entity?

Community Member

How can we determine if we’re a covered entity? The resources to make that determination are expensive – i.e. law firms

Net Votes: 5 Number of Comments: 5

Cloud computing

Community Member

Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cas...

Net Votes: 3 Number of Comments: 2

What part of the environment has...

Community Member

Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use ...

Net Votes: 5 Number of Comments: 2

Help with business associate agr...

Community Member

There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics develop...

Net Votes: 5 Number of Comments: 3

Can HIPAA address patient genera...

Community Member

Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered en...

Net Votes: 6 Number of Comments: 10

How should developers execute au...

Community Member

Right now, developers expend a lot of time and resources (including the cost of data storage) on audit logging but don’t have assurance that they a...

Net Votes: 4 Number of Comments: 2