Questions tagged [hipaa]

The US-american "Health Insurance Portability and Accountability Act" of 1996 (HIPAA) is Public Law 104-191, which was enacted on August 21, 1996.

The US-american "Health Insurance Portability and Accountability Act" of 1996 (HIPAA) is Public Law 104-191, which was enacted on August 21, 1996.

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. To date, the implementation of HIPAA standards has increased the use of electronic data interchange. Provisions under the Affordable Care Act of 2010 will further these increases and include requirements to adopt: operating rules for each of the HIPAA covered transactions, a unique, standard Health Plan Identifier (HPID), a standard and operating rules for electronic funds transfer (EFT) and electronic remittance advice (RA) and claims attachments.

In addition, health plans will be required to certify their compliance. The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules.

106 questions
26
votes
9 answers

Can PHI be HIPAA compliant on a cloud?

I have read conflicting information on whether PHI can be stored and delivered on a cloud in a HIPAA compliant manner. I hear many people saying you cannot share infrastructure and be HIPAA compliant. What needs to be taken into consideration when…
William
25
votes
6 answers

Is it okay for our IT support contractor to remote in without authorization?

We are a healthcare IT company. My machine has PHI on it. Our IT contractor verbally asked if he could remote in to fix my printer so I said sure. I expected some sort of prompt to allow it but he was just in. Some form of VNC I guess. Is this…
THE JOATMON
  • 571
  • 6
  • 14
24
votes
3 answers

What are best practices to adhering to HIPAA encryption requirements?

As HIPAA's language is somewhat vague when it comes to actual technical requirements, what are best practices for PHI encryption for HIPAA compliance? I've seen varying levels at different organizations. Some just encrypt it in transfer, some when…
John Straka
  • 771
  • 7
  • 11
19
votes
3 answers

Do HIPAA Security Officers face personal liability for breaches?

The role of HIPAA Security Officer is very important in maintaining compliance. In smaller organizations, there's overlap in employees' roles, so the person that ends up as the HIPAA Security Officer may not have a whole lot of background in…
John Straka
  • 771
  • 7
  • 11
17
votes
5 answers

Is Google Analytics HIPAA compliant? How can I find out?

I'd really like to implement Google Analytics at my work on web software that is required to be HIPAA compliant. But I'm wondering if it's against the rules. Does anyone know how I can find out? I've searched Google, but there isn't much there on…
Ben
  • 271
  • 2
  • 5
14
votes
2 answers

Is encrypted email doctor/patient communication required by HIPAA, HITECH or Meaningful Use

I want to point out, from the start, that I know all about the Direct Project and I am huge fan of work to provide easy-to-use standards based secure email for doctor-patient communication. I am not asking a "should" question here. I know…
ftrotter
14
votes
3 answers

What is a reasonable approach for deidentifying data?

I have been asked by a client to deidentify the PHI data in their database and I'm either over-simplifying the process or my client is overly paranoid. Perhaps you can tell me which is the case. This client's need for de-identification is two-fold.…
Darvis
11
votes
3 answers

Does marketing data trigger HIPAA Privacy?

If I was a marketing firm who provides an analysis on visitor statistics from anonymous members who then ties that in to a CRM to track conversions, what do I have to do to the data to ensure that those customers information is handled properly…
Steve Buzonas
  • 213
  • 1
  • 5
10
votes
2 answers

HIPAA compliance without PII

I have a web site where people fill medical syndrome questioners. They can see how their condition changes during the time period. I am not storing ANY PII information, just user name. I can store in encrypted (if I have to). My question is – Do I…
AaronS
  • 2,575
  • 5
  • 22
  • 26
10
votes
4 answers

Proper implementation of HIPAA within iOS app with several factors

We are developing an iOS app that allows users to store/modify Protected Health Information (PHI) and the app needs to allow users to do so without an internet connection for large parts of the process. We will need to encrypt the data but are…
user72066
10
votes
2 answers

Is accession number+service (CPT code)+date of service considered PHI (protected health information) under HIPAA?

Imagine you are designing a system that's comprised of overdue worklists for doctors (e.g., Doctor X you have 3 overdue studies to look at). In the notification, you identify the studies they have to review by their accession number / CPT code /…
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
10
votes
3 answers

What is the term to use when logging an event where a user downloads or prints PHI?

My application logs accesses to PHI. I need to add a log item for things like downloading and printing. Is there a general term that I can use to describe these events? I'm thinking something like "export" or "externalize". I want to represent that…
Freiheit
  • 277
  • 1
  • 10
9
votes
1 answer

What solution is compliant with HIPAA for for web-based electronic digital signatures?

I'm interested in having physicians digitally sign pdf documents we create, in a HIPAA-compliant manner. Ideally, there would be an open-source solution, but I'm also willing to consider a digital signing service such as EchoSign. Update: We've…
Jeff Bauer
  • 191
  • 2
9
votes
1 answer

Is downloading a PDF from a browser-based app locally a HIPAA issue?

Here's a scenario: An intranet CPOE application User runs a report, which downloads as a PDF and opens in Acrobat on the local PC User leaves the PC without logging out or closing Acrobat CPOE times out and auto-logs the user out The PDF with…
Martin Haluza
  • 201
  • 1
  • 3
9
votes
4 answers

Is having theoretical access to PHI a HIPAA breach, even if no one accesses it?

This is an entirely hypothetical question. Lets say a clinic has a computer in their waiting room for checking email, surfing the web etc. while patients wait. Lets also assume whoever signed this up wasn't thinking, and this machine is just sitting…
Fomite
  • 276
  • 1
  • 5
1
2 3 4 5 6 7 8