Who is responsible for HiPAA compliance when a non-profit that is not a medical entity provides a site and equipment for licensed therapists to work with participants under a grant?
Can participants first names be publicly posted on a schedule stating "Clinic"?
We are a covered entity and we lease space from a non-profit, non-medical organization (we provide physical therapy services). We, as the covered entity, are responsible for HIPAA compliance, not the non-medical organization. I always err on the side of caution.
My first question would be, "Why would you want to publicly post a schedule (what function would it serve)?" My second question would then be, "Is there another way to accomplish this function?"
This includes providers such as:
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.