Do we need a strategy for these guidelines?


#1

I’m looking over the HIPAA technical safeguards, and I feel pretty good about our app’s strategy for most of them. There are 2 points that I don’t think apply to us, but I’m curious if anyone sees it differently. For context, the PHI our app will store is e-prescriptions.

  1. Emergency access procedure
    I don’t think an EAP is necessary because I can’t imagine an emergency that would require a prescription record. If it were necessary, though, the prescribing doctor, eRX vendor or pharmacy with it on file should be able to provide that. As a last resort, a developer could also retrieve the prescription info from the database.

  2. Mechanism to authenticate electronic protected health information
    Again, I don’t think this applies to our situation. There’s no interface for users to manipulate PHI. It’s a read only API. Am I missing something that would require us to account for this guideline?


#2

Hi Sam, good questions!

  1. Regarding emergency access, just document in your procedures exactly what you said: What would we need to do to retrieve data if the database is down? Note any security precautions or requirements you’d want to follow in that case (an example might be how to securely transfer that data to a customer that needs it, via SFTP or GPG or something).

  2. HHS’s guidance on the technical safeguards is old (2007) but still applicable. They focus on whether integrity checks would help mitigate an applicable risk. I’d have to know more about your app and where your PHI comes from to make an informed recommendation.

- Chas