|
|
Posted by Jerry Stuckle on 11/14/06 12:35
Mike wrote:
> Jerry,
>
> Thanks for the reply.
>
> I am, indeed in the US, and will check into HIPAA regs covering this.
> I, nor anyone connected with the site are medical professionals. These
> are visitors to my site, and not my clients. The forms are,
> essentially, self-help questionnaires. They define a challenge in
> their life, and use a structured process to make decisions about it.
> So no actual medical information is contained in the form. It could be
> something as simple as, "buy a blue car or a black one?", though other
> times it can be much more personal and private. I do have warnings
> prominently displayed reminding them that the data is stored on the
> internet and is not guaranteed. Regarding e-mailing the form to their
> therapist, they (and only they) can do that. My application simply
> does what they request, with an "are you sure" message to confirm.
> Still, you raise a good point, which I'll have to dig into a bit
> further.
>
Mike,
It doesn't matter if you are a medical professional or not. If you are
collecting personal medical information (which can include many
self-help questions), you are subject to HIPAA regulations. And when
you get to the point it gets "personal and private", you're almost
assuredly getting into this area. And the fact these may be emailed to
a therapist makes this even more critical.
It doesn't make any difference what warnings you have posted. HIPAA
regulations REQUIRES it be guaranteed. No exceptions.
For instance - your Doctor cannot hand you a statement saying they don't
guarantee the confidentiality of your medical records. That level of
confidentiality is required by law. And only a signed statement from
you can allow that information to be released legally. And I highly
doubt a "I approve" button will pass HIPAA scrutiny.
You really need to get with an attorney familiar with HIPAA regulations
before going any further. Unless you wish to spend a few years as a
guest of the government.
> Jerry Stuckle wrote:
>
>>If you're in the United States, it could be even worse than that. HIPAA
>>regulations are quite strict on medical information, and a violation
>>(even an inadvertent one) can land both you and your client in jail for
>>a few years. At the least there would be a very large fine.
>>
>>About the only way you will be able to pass HIPAA regs would be to have
>>a physically secure server - meaning one locked in your clients office
>>or similar. Otherwise someone can get in there and access your programs
>>- which obviously have to have the key for encrypting/decrypting the
>>data someplace. Also, you would need to use SSL for all communications
>>with sensitive information, etc.
>>
>>Additionally, before medical information can be shared, even with a
>>therapist, you must have a signed authorization. This has to be on real
>>paper - a web form doesn't work.
>>
>>Right now this is a VERY touchy subject in the U.S.
>>
>>--
>>==================
>>Remove the "x" from my email address
>>Jerry Stuckle
>>JDS Computer Training Corp.
>>jstucklex@attglobal.net
>>==================
>
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|