4

Assume I am creating an application that generates a report of health recommendations based on input patient diagnostics.

My application receives no identifying information about the patient. It receives only a unique patient identifier (e.g. "Patient #123456") and the patient's diagnostics (e.g "Heart rate 80 BPM").

The report output by my application contains only that unique identifier, diagnostics, and health recommendations (e.g. "Patient #123456 had a sodium level of a billion mEq/L. We recommend the patient eat less salt.")

I want to avoid generating these reports as PDFs because PDFs are difficult to develop. I'd much rather generate print-friendly HTML/CSS webpages, which my users can then print/export to PDF if they would like. (Assume all my users are all on modern desktop web browsers -- no IE8 outliers.)

What would be the regulatory concerns (if any) of delivering reports as static webpages, rather than PDFs? Can I mitigate these somehow?

RobertAKARobin
  • 141
  • 4

2 Answers2

5

Yes, an HTML based report can be HIPAA compliant.

The format in which the report is presented has no significant consequence to compliance. The behavior of the system that is generating the report is what you should be focusing on.

Cameron Miller
  • 126
  • 5
  • Thank you! With respect to the system, as long as data is encrypted, and as long as no identifying patient information is being stored (aside from the unique ID and diagnostic information), should that suffice? – RobertAKARobin Aug 08 '17 at 17:00
0

It can be. Be wary though, unique identifiers are considered to be PHI in the eyes of HIPAA. There are a few exceptions, notably:

(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that: (1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and (2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

I imagine that you'd eventually need to re-identify the unique ID you create back to a patient at some point. As such, it would be become PHI. You can manage many of the pieces of compliance required for HIPAA by deploying your application on a platform like https://datica.com/platform/.

*Disclosure: I work at Datica. *

Mark Olschesky
  • 1
  • 1
  • 1
    Your disclosure is vague. Do you work at Datica? – Jesse K Aug 14 '17 at 18:05
  • I do. Sorry, I must have missed that while I was editing it earlier. We also open sourced our policies for DIY on any platform for HIPAA compliance: https://github.com/catalyzeio/policies – Mark Olschesky Aug 15 '17 at 20:35