Answering Listener QuestionsA wide variety of questions have come in from listeners over the last few weeks. The list is so good we have a whole episode devoted just to answering listener questions.  At least one of these will likely apply to you if not several.

HIPAA For MSPs by David Sims Answering Listener Questions
00:00:00 00:00:00

In this episode:

Answering Listener Questions

Speak Engagements

HIPAA when traveling overseas

Keeping a list of usernames and passwords


Patient consent for sharing photos

Can we use Chromebooks under HIPAA?

Are you going to do an online version of The HIPAA Boot Camp?

Listener survey question

International “HIPAA” compliance… With family and caregivers being more remote and in other countries, how does HIPAA apply when the patient is in the US and in other countries.


Karen asks

A question about keeping a list of computer user names and passwords for the staff (not to the EHR or any application).

The old Office Manager did this and her excuse was it was the practice’s computers and she needed a list of all user names and passwords for all equipment the practice owned so she could get into systems if she needed to. The replacement manager feels this is incorrect. What does HIPAA say about this? What is reasonable and appropriate?

What would happen if an employee left suddenly? Could their IT company get “into” the computer and access their files with system admin access? What is recommended about this?


John Dubinsky Maven Group, Speakpipe message

Hi Double D’s – VOIP cloud hosted and internet faxing – HIPAA use of these services with compliance via a Speakpipe message


Amy’s email question

After a consent is obtained, are we allowed to take pictures of patients and their beautiful babies with our phones? If so, can we email it to each other without their names or any other PHI listed?


Thank you for the question and for listening to the Help Me With HIPAA podcast.

You certainly have step #1 correct. You must have a signed consent from patients describing what you plan to do with their patient data, in your case, photos. The waiver should spell out what your practice wants to do with these images and how they will be handled. This is not a specific element of compliance but more of a good idea, legally.

Even if a patient signs a privacy waiver and gives you permission to take and use their photo, or that of their baby, your practice should still be very diligent in protecting that data as much as you can.

I would suggest that there are much more secure ways to do this. If you were my client I would suggest having specific devices (phones, iPads, etc.) that are used for this and not allow employees to use their own devices. Second, I would encrypt these devices. Most have encryption capabilities built-in, they just need to be setup. Third, I would connect these devices to an online storage service, like Google Drive, Dropbox, Sharefile, etc. Then you can use these designated devices to snap the photos and then upload them directly to the online storage service. This will keep everything out of email.

You didn’t mention what you plan to do with these images once you have them. If you plan to use them on social media, you’ll need to include this in your consent / waiver form. If you’ve stored the images in, let’s say, Google Drive, you will be able to easily use the images in your social media posts.

In short, get a signed consent… protect the data EVEN though you have consent… use a method that maintains good security practices… and always be mindful that you’ve been entrusted with something very important.


Is it ok to use them?


The good news is that we get a lot of great listener questions.