Thanks so much for your reply.
I have spent a few hours reading over the details of the entire HIPAA Law. And I agree with you, it boils down to "reasonable effort to protect privacy of patients medical records and billing/account history". That's it in a nutshell.
But I, we, need more specifics. For example, email communication that contains PHI must be encrypted. But what encryption is acceptable? BinHex (pretty doubtful)? MD5? SHA-1? PGP/GPG? There is no definitive answer.
My compliance issues will be very simple. We are doing medical surveys that will ask health related questions. My client will then use this data to contact the person with more detailed questions.
Problem #1: How to send the client PHI.
I was planning on using GPG (GnuPG) to encrypt the body of an email message that contains the patient information. They basically want the information from the website as it is created. Should be fairly straightforward from a Rails perspective, but I'm just not sure that GPG is a secure enough form of encryption for compliance. But you know how large corporations (my client) are suspicious of anything open source or free.
Problem #2: Security of the Rails App.
I'll admit that tight security of Rails apps is out of my scope of experience, but there is quite a bit of info out there on how to secure RoR apps. Plus, I can eliminate one issue right up front... the app will have NO login capability, no accounts. It's simply collecting information and forwarding it on.
Problem #3: Db files and Their Security.
I'm planning on using MySQL for the app's backend. I have not seen anything that allows the binary file that resides on the server to be encrypted. Or have I missed something? But lets go with a standard InnoDB table format... if someone were to get a hold of those binary data files, they could easily extract the data. But even more troubling, my site host will be backing up those binary files and what sort of measures are they taking to ensure that the backup disks/tapes are secure. This has me a bit nervous.
For example, my doctor's small office uses a PMS (patient management system). You know as well as I that with a key disk and a couple of minutes someone could walk over to the sever and copy all the data files. And those files are not encrypted. What about the CDs they use for backups? Do they just toss them in the trash after a week or two, or leave them out on the receptionists desk? I'm sure the database files are not encrypted, nor are the backups.
Of course I could easily MD5 all the PHI in the database and not worry about it. But that makes me nervous about performance as the site scales. Is this overkill, or most/all HIPAA compliant data storage mediums encrypted?
It seems that most HIPAA compliance 'experts' focus on the authentication, authorization, and transmission aspects, but do very little to address backend issues.
And the part that amuses me the most, are all the HIPAA Compliance Consultants. Now, they have answers for you... but every one of them has a different answer based on the products they are selling
I hope this starts a good discussion, because I don't have the answers and frankly, haven't been able to find much either.