6

This is a different twist - I'm pushing dispatch information to first responders, such as fire, police, and EMS. But they all could, potentially, include medical information and PII together.

My goal is to make it easier for the first responder to obtain critical information, so I want to make it available in the vehicle, or on the smartphone if necessary. This is where I'm not certain what my responsibilities are. I'd like to provide the information via the browser. I'm curious if a) this scenario falls under HIPAA's domain, and b) are there guidelines I need to follow in the application design - the browser component. The back end I am confident is secure. But I don't know what I need to do on the front end side to protect from accidental or even malicious stealing/accessing this data (by taking the phone, or glancing over a shoulder...

Any advice? Thanks!

Polynomial
  • 132,208
  • 43
  • 298
  • 379
appDeveloper
  • 171
  • 3

3 Answers3

4

...falls under HIPAA's domain?

If you're dealing with PHI then the answer is probably yes. Check out this page from the US Government Department of Health & Human Services Security Rule Guidance Material for some more information.

are there guidelines I need to follow in the application design - the browser component? The back end I am confident is secure.

You should be thinking about a risk assessment (see above mentioned page, especially the link to NIST Special Publication 800-66). It's good to be confident but you need to have the documentation to show that you have been thorough. Regarding application design, two good sources are the book Writing Secure Code and OWASP (check out the OWASP Top Ten as a starting point).

During your risk assessment you will be looking at threats (such as "looking over someone's shoulder") and you'll have to evaluate the likelihood of this happening and the risk that it represents.

jdigital
  • 328
  • 1
  • 5
1

While I am not a lawyer and you should certainly ask a lawyer this question. My opinion, being passingly familiar with HIPAA from a previous job, I'd hazard this almost certainly falls under HIPAA's regulations for providers (ie, the full package deal). If not, it almost definitely falls under the third party service providers. My previous job only had to worry about the third party service provider role, so I don't know much about what the details are for the full blown requirements.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
1

We do lot of product assessment with reference to functionality of the product. We don't evaluate on coding basis. We always ask product architect and product manager to go through Certified HIPAA Privacy Security Expert CHPSE) training so they have clear understanding on the privacy and security rule and then evaluate how does the product meet the regulation requirements. Many times we have experienced that major design changes have to be done to ensure that product meets the HIPAA requirements. As a business associate also have to ensure that the company is compliant with policy, procedures, disaster plan etc.

Bob Mehta
  • 11
  • 1