HIPAAコンプライアンスチェッカー

入力

Practices

We are a telehealth startup. Patient video visits run through a third-party API, session notes are stored in a cloud Postgres database, and clinicians access records via a web app with email/password login. PHI is sometimes emailed to patients as PDFs. Backups are stored in cloud object storage. We have not yet signed BAAs with all vendors.

Entity Type

covered

Focus

full

出力（抜粋）

HIPAA Compliance Snapshot

Gaps flagged:
1. BAAs missing - Any vendor touching PHI (video API, cloud DB, object storage) requires a signed Business Associate Agreement. HIGH priority.
2. Authentication - Email/password alone is weak; enforce MFA for clinician access.
3. Emailing PHI - Unencrypted PDF emails risk an impermissible disclosure; use a secure patient portal or encrypted delivery.
4. Encryption - Confirm PHI is encrypted at rest and in transit.

Next step: Prioritize BAAs and MFA. This is informational, not legal advice.

入力

Practices

We are a medical billing company that processes claims on behalf of several clinics. We receive patient demographics, diagnosis codes, and insurance details via SFTP. Staff work remotely on company laptops. We have BAAs with our clinic clients but our staff sometimes use personal phones to check work email.

Entity Type

business_associate

Focus

security

出力（抜粋）

Security Rule Review (Business Associate)

Strengths: SFTP for transfers and client BAAs in place.

Risks:
1. Personal device use - Accessing PHI on unmanaged personal phones violates device controls; require MDM or restrict to company devices.
2. Remote endpoints - Ensure full-disk encryption and auto-lock on all laptops.
3. Access controls - Implement role-based access and audit logging for who views which records.
4. Recommend documented risk analysis and workforce security training.

入力

Practices

We run a small wellness coaching business that collects client health intake forms, including conditions and medications, stored in a shared cloud drive. We are not sure whether we count under HIPAA. Forms are sometimes printed and kept in an unlocked filing cabinet at the front desk.

Entity Type

unsure

Focus

privacy

出力（抜粋）

Privacy Review (Status Unclear)

First: HIPAA generally applies if you bill insurance electronically or act for a covered entity. If you only take cash and never transmit claims, you may fall outside HIPAA - but state privacy laws still apply.

Regardless of status, fix these:
1. Unlocked filing cabinet - Lock all paper records containing health info.
2. Shared cloud drive - Restrict access to named staff; avoid broad sharing links.
3. Add a clear privacy notice describing how client data is used.