IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [hipaa]

The US-american "Health Insurance Portability and Accountability Act" of 1996 (HIPAA) is Public Law 104-191, which was enacted on August 21, 1996.

The US-american "Health Insurance Portability and Accountability Act" of 1996 (HIPAA) is Public Law 104-191, which was enacted on August 21, 1996.

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. To date, the implementation of HIPAA standards has increased the use of electronic data interchange. Provisions under the Affordable Care Act of 2010 will further these increases and include requirements to adopt: operating rules for each of the HIPAA covered transactions, a unique, standard Health Plan Identifier (HPID), a standard and operating rules for electronic funds transfer (EFT) and electronic remittance advice (RA) and claims attachments.

In addition, health plans will be required to certify their compliance. The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules.

106 questions
8
votes
1 answer

Creating a "key server" (HIPAA compliance with AWS)

I'm a part of a small company that is going to be implementing HIPAA compliance. We will be seeking legal counsel, etc so anything heard here will not be taken as legal advice, etc. I just want to bounce some ideas off of you guys. The basic spirit…
Matt
  • 83
  • 1
  • 3
8
votes
4 answers

Is conveying patient MRN in a web service URL a HIPAA PHI violation?

I'm building a web service to access patient data within our EMR and would like to subscribe to RESTful design principles. However, the idea of including the patient MRN in a GET request makes me uneasy. I was thinking about just being…
Daniel Wilson
  • 81
  • 1
  • 2
8
votes
2 answers

Can a Patient's Name, Birth Date, and Study date be sent in a plain text email to a referring doc?

I participate in a mailing list where the following question was asked, without satisfactory feedback, and am interested in the correct answer. Several referring physicians have requested that an imaging center send them a list of patients that…
Steve Wranovsky
  • 488
  • 1
  • 4
  • 9
7
votes
1 answer

What is legally required to store HIPAA data in the "cloud"?

I was looking into storing SQL DB backups of a healthcare system in the cloud in the event of a disaster to be HIPAA compliant. The solution I came up with was to use Cloudberry backups. What I would want to do is export the SQL DB on my local…
cutrightjm
  • 1,714
  • 4
  • 18
  • 31
7
votes
1 answer

Is Google identity sign in product HIPAA compliant?

I want to use this product to save me a month of coding. Looking for a product that Password expiration forgot password system lock after x times of wrong password Valid passwords rules (min 8 characters etc..) Edit users and permissions…
Ohad Perry
  • 173
  • 5
6
votes
3 answers

HIPAA compliance in web forums?

If a website has a private forum (membership is not free) where people may ask health questions and paid Doctors are around to answer them, do normal HIPAA compliance rules apply? In any forum, people are aware (or at least, they ought to be aware)…
DarkTygur
  • 61
  • 2
6
votes
2 answers

Can a physican website be on a non-HIPAA server?

I'm starting my first website for a doctor's office and I'm wondering if the website needs to be on a HIPAA compliant server, even if no patient health information is collected or stored on the server? There would be no storing or even collecting of…
Tom
  • 63
  • 2
6
votes
3 answers

Telemedicine on Google+ Hangouts or Skype. Is it encrypted?

Would one be able to have a telemedicine conversation with a patient with google+ hangouts the way one can over a telephone? In other words does the security satisfy the HIPAA regulations that say private health information can only be transmitted…
Farrel
  • 169
  • 5
6
votes
2 answers

Becoming HIPAA Compliant

What is required to become HIPAA Compliant? Do I need to take a test or do I just need to follow a certain set of guidelines? EDIT: Just to provide my background. I am a small IT Firm and we would like to expand into the medical field and work with…
Travis Thompson
  • 539
  • 1
  • 5
  • 9
6
votes
3 answers

Are there guidelines for application design of HIPAA compliant browser applications?

This is a different twist - I'm pushing dispatch information to first responders, such as fire, police, and EMS. But they all could, potentially, include medical information and PII together. My goal is to make it easier for the first responder to…
appDeveloper
  • 171
  • 3
6
votes
4 answers

Are there a standard method(s) for me to give someone else read-only access to my data?

Are there a standard method(s) for me to give someone else read-only access to my data? There are several situations where I may want to give a few people read-only access to some data, but I would rather not give those people my secret passwords…
David Cary
  • 2,720
  • 4
  • 19
  • 20
5
votes
1 answer

Are internal patient identifiers considered PHI under HIPAA?

We use GUIDs to internally to identify patients in our system. I'm having a debate with our regulatory people on whether these identifiers can be used in query strings to REST calls. They are claiming any patient identifier becomes PHI once exposed…
MvdD
  • 169
  • 1
  • 3
5
votes
1 answer

Multi Tenant Database - HIPAA

We are planning to develop a EHR/Billing Software and we are aware about HIPAA rules and regulations. Our current application architecture using a shared database with all client's(Provider/Practice) data. I would like to know if HIPAA recommends…
Arun Kumar
  • 71
  • 4
5
votes
2 answers

Retention periods for web logs

I work for an ASP that provides banking solutions Card Services Payments ACH Online Banking And others Back Story: Our company provides an "all in one" solution or parts thereof, we are constrained by regulatory agencies. One of the issues that…
Leptonator
  • 117
  • 1
  • 8
5
votes
1 answer

HIPAA: How am I required to secure PHI database access creds on my web server?

Assuming I have a database of PHI that my web application needs to access, how am I required to secure the credentials on the webserver that the web application uses to access this database? Is storing a standard user/pass combo a HIPAA compliant…
Ben Dauphinee
  • 223
  • 1
  • 7
1
2
3 4 5 6 7 8