I was wondering if Time2Track is possibly not HIPAA compliant? While I would think it has to be, and training programs have either paid for it outright or encouraged its use, from a look at government documentation online (http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html), it seems that it may not meet deidentification policy for date of service data (criteria pasted below from website):
It seems like Time2Track would be considered a "business associate" under HIPAA parlance, and I have no recollection of seeing anything on their site meeting the governmental standard (pasted from the aforementioned site):(C) All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
While I recognize this is a fair bit paranoid, I did have some concern before using the service, and thought I would put this out there.Business Associate Contracts. A covered entitys contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).