Confluence Wiki users, we will be upgrading the wiki February 25th at 7PM. You can test the new version at https://qa.wiki.service.emory.edu. Please report any issues with the new version via ServiceNow.
Child pages
  • Emory Review Process for Vendor- or Partner-provided ESB, Web, or FHIR Services

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. If the mobile application collects, stores, or transmits personal health information for the personal use of the consumer and not for Emory people in their role as researcher, clinician, or support role, then HIPAA does not apply to the application.
  2. If such an application provides Emory researchers or clinicians access to the personal health information for the purposes of research or patient care, then HIPAA does apply to the application.
  3. All such applications that collect, store, or transmit personal health information must implement appropriate information security measures to protect personal health information, regardless of whether or not Emory's HIPAA compliance policies apply. 
  4. [Note: Brad Sanford and Steve Wheat should draft a list of the common security measures that apply to all such mobile applications and another list of the additional measures that would typically apply for applications subject to HIPAA compliance policies, so mobile app designers can plan for these measures in
    advance]

Step

...

4: Technical & Information Security Reviews

Emory Library and Information Technology (LITS) performs a high-level technical review of the application to determine if there is a need for any detailed security and compliance reviews of the application. For example, if the application collects and stores ePHI, credit card information, or other compliance related data, Emory IT will inform the sponsors of the application of relevant policies and any practices required by those policies. See the template for this cursory review. Once this cursory template is completed a technical review will be scheduled by Emory University or Emory Healthcare technical review team, depending on whether the application is considered and Emory University or Emory Healthcare application. Additional materials may be required, depending on the type of review specified. The organizer of the technical review team will contact application developers and help them prepare any additional materials.

If a security review is required, a meeting is scheduled with representatives of Emory Information Security to walk through a mobile app security checklist based on the security, compliance, and regulatory requirements that are relevant to the particular application.

Note that all consumption of publicly exposed ESB, Web, and FHIR services are potentially subject to additional security and auditing measures beyond internally distributed services. Projects should allow additional time for the implementation of any additional measures specified in the review of a publicly-exposed ESB, web, or FHIR service.

Subsequent App Update Submissions

...