Securing App to HIPAA Security Rules

Thanks so much for your reply.

I have spent a few hours reading over the details of the entire HIPAA Law. And I agree with you, it boils down to "reasonable effort to protect privacy of patients medical records and billing/account history". That's it in a nutshell.

But I, we, need more specifics. For example, email communication that contains PHI must be encrypted. But what encryption is acceptable? BinHex (pretty doubtful)? MD5? SHA-1? PGP/GPG? There is no definitive answer.

My compliance issues will be very simple. We are doing medical surveys that will ask health related questions. My client will then use this data to contact the person with more detailed questions.

Problem #1: How to send the client PHI.
I was planning on using GPG (GnuPG) to encrypt the body of an email message that contains the patient information. They basically want the information from the website as it is created. Should be fairly straightforward from a Rails perspective, but I'm just not sure that GPG is a secure enough form of encryption for compliance. But you know how large corporations (my client) are suspicious of anything open source or free.

Problem #2: Security of the Rails App.
I'll admit that tight security of Rails apps is out of my scope of experience, but there is quite a bit of info out there on how to secure RoR apps. Plus, I can eliminate one issue right up front... the app will have NO login capability, no accounts. It's simply collecting information and forwarding it on.

Problem #3: Db files and Their Security.
I'm planning on using MySQL for the app's backend. I have not seen anything that allows the binary file that resides on the server to be encrypted. Or have I missed something? But lets go with a standard InnoDB table format... if someone were to get a hold of those binary data files, they could easily extract the data. But even more troubling, my site host will be backing up those binary files and what sort of measures are they taking to ensure that the backup disks/tapes are secure. This has me a bit nervous.

For example, my doctor's small office uses a PMS (patient management system). You know as well as I that with a key disk and a couple of minutes someone could walk over to the sever and copy all the data files. And those files are not encrypted. What about the CDs they use for backups? Do they just toss them in the trash after a week or two, or leave them out on the receptionists desk? I'm sure the database files are not encrypted, nor are the backups.

Of course I could easily MD5 all the PHI in the database and not worry about it. But that makes me nervous about performance as the site scales. Is this overkill, or most/all HIPAA compliant data storage mediums encrypted?

It seems that most HIPAA compliance 'experts' focus on the authentication, authorization, and transmission aspects, but do very little to address backend issues.

And the part that amuses me the most, are all the HIPAA Compliance Consultants. Now, they have answers for you... but every one of them has a different answer based on the products they are selling

I hope this starts a good discussion, because I don't have the answers and frankly, haven't been able to find much either.

Karl

We are also working with a rails app that does medical surveys and while there are no spelled out rules technical rules as you have both pointed out, I can say that security is paramount.

If you are collecting personal information from participants then you up the anti even more. Speaking from within a health system, HIPAA is taken as paramount and 'reasonable' I would claim to be a misnomer - you really need to do everything as securely as you possibly can conceive to do so - because the reality is even if you make a 'reasonable' effort and the information somehow gets out the fall out won't be pretty.

If you are doing surveys then most often those will have to pass an Internal Revue Board (IRB) which can be the bane of a researchers existence. It may be worth contacting that board (though you may not need to give them exact details) and finding out what their internal requirements are - they can vary on the technical side. Often we are required to run our surveys/databases of an internal server when we are storing patient information for example. Sometimes this is avoidable by documenting what encryption/security you have in place.

Regarding email, many health systems have encrypted internal email. Speaking with their IT department may allow you to access that system securely to send the information.

Bump.

Any new info on this?

My team is trucking along with our project, the current work is all in the back end so we have a chance to focus on things like HIPAA instead of what shade of mauve the marketing team wants the logo to be.

Free trial HIPAA email accounts are available at http://securemedical.net

Child labor laws have no standing in buy wow accounts Azeroth, so Louis of ugg boots on Wyrmrest Accord saw no problem with having UGG ブーツ 通販 his squire do all of his fetching, lifting, and trudging through swamps looking for rare herbs for him. Until the squires wow accounts formed a union, that is. "One part Baby Spice, three wow account kaufen parts Papa Hummel's Old-Fashioned Pet Biscuits, three angry Argent Squires, one frightened warr... <squashed under the biggest boot you've ever seen aion gold kaufen," wrote Louis.Do you have any unusual, beautiful or interesting aion power leveling images that are just collecting dust in your screenshots wow accounts for sale folder? We'd love to see them on Around Azeroth! Sharing your screenshot is as simple as e-mailing bijoux tiffany with a copy of your shot and a brief explanation of the scene. You could be featured here next!