How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Ely Your Own Question
Ely
Ely, Counselor at Law
Category: Legal
Satisfied Customers: 99983
Experience:  Private practice with focus on family, criminal, PI, consumer protection, and business consultation.
7286322
Type Your Legal Question Here...
Ely is online now
A new question is answered every 9 seconds

We have a medical app that allows users to request in-home

Customer Question

Hello,
We have a medical app that allows users to request in-home and virtual professionals on demand.
I came across a HIPAA issue related to our app and I wanted to see if I could an opinion on it. It’s regarding the requirement to have automatic logout (https://www.hipaa.com/access-control-automatic-logoff-what-to-do-and-how-to-do-it/).
Since our app will have some medical information under the profile of the user, I’m wondering if automatic logout after a set time is required in our case. We would like to avoid that obviously and I noticed several similar apps don’t have it. If it is a requirement, can this “password *****” only apply to the profile where personal information is stored, or would it have to apply to the entire app (i.e. ideally, we’d like the user to still be able to put in a request for an appointment through our main menu without there being an auto-sign out, since personal information can’t be accessed there). The other consideration is whether this requirement would change if the device that’s using the app stays at home (the link above mentions that the location/traffic around the device matters).
It would be amazing if I could get an answer for this here!
Thank you!!
Submitted: 11 months ago.
Category: Legal
Expert:  Ely replied 11 months ago.

Hello and welcome to JustAnswer. Please note:This is general information for educational purposes only and is not legal advice. No specific course of action is proposed herein, and no attorney-client relationship or privilege is formed by speaking to an expert on this site. By continuing, you confirm that you understand and agree to these terms.

I’m wondering if automatic logout after a set time is required in our case.

HIPAA's security rule is subjective and it provides guidelines, but not specifications for most situations. There is no hard rule on what one is to do in such a situation. One is expected to follow the guidelines but what is to be done is up to the company. See HERE. Suffice to say, the less information the app holds on the user, the better. Also, a password ***** ***** mandatory, but is highly recommended. Not having a password ***** invites theft of information and misuse by people, which can culminate in a lawsuit under "negligence per se" and other actions.

The other consideration is whether this requirement would change if the device that’s using the app stays at home (the link above mentions that the location/traffic around the device matters).

No, it does not. The answer applies "as is" regardless.

Good luck.

I hope this helps and clarifies. Please use the SEND or REPLY button to keep chatting, or please RATE when finished. You may always ask follow ups at no charge after rating. Kindly rate my answer as one of TOP THREE FACES/STARS and then SUBMIT, as this is how experts get credit for our time. Rating my answer the bottom two faces/stars (or failing to submit the rating) does not give me credit and reflects poorly on me, even if my answer is correct. I work very hard to formulate an informative and honest answer for you; please reciprocate my good faith with a positive rating.