I've recently been charged with the task of figuring out how to store the medical information of patients. A client of ours is having us create online patient referral forms, and the data needs to be stored online for viewing by authorized office personal and doctors.<p>I know that information privacy is important, and I also know that if something messes up, I can be held personally responsible for it. That being said, how do you transmit and store data in a HIPPA compliant manner? What are some good resources on the subject?<p>Our development environment is PHP + MySQL if that helps at all.
See the comments about Schneier's new book <a href="http://news.ycombinator.com/item?id=1113641" rel="nofollow">http://news.ycombinator.com/item?id=1113641</a><p>Given that you are using a tool stack that, well, has historically had a large number of security issues and that is difficult to get clarity on be cautious.<p>It is possible to build capable and relatively secure systems using php but it takes a correspondingly greater effort to do so. You will want to pay special attention to the global php settings (if you turn on register_globals even in development you deserve to get sued for malpractice) and you will want to understand the different layers of encryption that support your application. You also need to engineer your applications workflow with an eye towards separating out different kinds of access. A patient filling out a form should not be able to access any other patient records. A doctor or clinical assistant should be able to view only those records their role requires; any patient record access should be recorded in an audit log that is not accessible to any user directly.<p>Also, drop mysql for postgres; php support for postgres is very good and postgres supports in database public key encryption which you will want.
HTTPS. Firewall that prevents outside network access to servers with HIPPA data. Encryption of data in the db (eg, don't store plaintext social security numbers in a table). All backups are encrypted. Files with PII (patient identifying information) are encrypted. Data access strictly limited to small set of people.<p>Now that I've blown a bunch of stuff at you, I'll say that my experience is that most of HIPPA (and IRB study stuff, even stricter) is about defining and implementing a coherent policy to minimize risk. It is a colossal pain - where I work, we do medical research and integrate with actual clinical data collected from the hospital. It's not uncommon to find clinical staff keeping excel or word docs full of patient data on non-secured systems. Minimize the places where you get data from people so that you don't have to be accountable for those things - in other words, try not to have people emailing you excel sheets in the clear. We're putting https web apps in front of people to load data that way (parsing files on the fly) and not storing the files at all - during the parsing, we'll put the data into our backend and encrypt that data in our Oracle db. We're wrangling with key management right now - we want to load data automatically, but to not store keys in the db or on the OS in a way that would be easily accessed if the db server was literally loaded onto a truck and taken away.<p>I'm not a MySQL experienced person, but I'm sure it probably has something similar. You're right to be cautious - I've seen estimates that notifying people when data is leaked and handling the cleanup (providing credit monitoring, etc) is huge, $3K to $5K per client.
I am a programmer/analyst in a hospital. I administer several systems and have my hands in most of the databases. Outside of work, I consult and write healthcare software.<p>You store it the same as you would any sensitive information -- behind a locked door with a ridiculous amount of audit data. It's more about identifying improper access (nurse A looking at patient B when she's not in his "circle of care") than it is about preventing it, for legitimate users of course.<p>You do not need to encrypt the contents of the database or any such extreme measures.<p>Something else to remember is that there is no bulletproof "HIPAA-Compliant" stamp. It's more a set of guidelines and best practices that you're trying to follow. Most vendors do not provide a row-by-row audit table for every single action, for example, but they should.
HIPAA compliance is no joke.<p>Take a look at documentation provided by the Joint Commission (JCAHO) which certifies hospitals and CCHIT for generalized standards (no one ring to bind them all in terms of compliance for software), also HIPAA.org.<p>You may want to review the CMS HIPAA checklist (<a href="http://www.cms.gov/hipaa/" rel="nofollow">http://www.cms.gov/hipaa/</a>).<p>As a best practice, I've seen basic "PHI" or personal health information (identifying info like name, Bday, sex, SSN) encrypted, but this is not 'required.' Some programmers/sites go further and encrypt everything, as stated by others below.<p>Careful with the email transmission; various legal concerns (and some regulatory standard interpretations) mean most 'sites' keep this info on LANs or HISs or perhaps on web hosted sites.<p>Take a look at Kaiser's KPConnect PHR portal, which is powered by Epic, as an example. You can dig up plenty of stuff about that system on Google.<p>Generic presentation of concerns, but worth a quick skimming: <a href="http://npag.org/NPAG_images/NPAG%20Health%20IT%20Prez-Kennedy%20%5BCxompatibility%20Mode%5D(1).pdf" rel="nofollow">http://npag.org/NPAG_images/NPAG%20Health%20IT%20Prez-Kenned...</a><p>For nifty open source stuff, check out popHealth (by Mitre), OMHE (for mobile) and hData (XML).<p><a href="http://code.google.com/p/omhe/" rel="nofollow">http://code.google.com/p/omhe/</a><p><a href="http://www.projecthdata.org/" rel="nofollow">http://www.projecthdata.org/</a><p><a href="http://projectpophealth.org/" rel="nofollow">http://projectpophealth.org/</a>
You might want to look into data blinding, stronger/stricter permissions, and even audit tables (if data changes, insert a duplicate of the row into a separate audit table).<p>However as long as you have it internally set up (not on the Internet) and make encrypted backups (so stolen backups are worthless) your risk will be much less.
I have a degree in Medical Record Administration and one of my past positions was Manager of Medical Records and Privacy Officer for a hospital. The Office of Civil Rights enforces the HIPAA Privacy and Security Rules. You can check out their HIPAA website at <a href="http://www.hhs.gov/ocr/privacy/" rel="nofollow">http://www.hhs.gov/ocr/privacy/</a> You can also review the Security Rule which sets forth guidelines for protecting electronic data. This can be found on <a href="http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html" rel="nofollow">http://www.hhs.gov/ocr/privacy/hipaa/administrative/security...</a> - click on "Security Rule Standards - Final Rule" under Security Rule History. It's a pain to read because it's written by the government, but it may have the info you need.
As a sub-topic, if I were to catch some form data, write it to a file, compress and encrypt the file (password/key protected) and then email it to a health provider, is that viable alternative to actually storing information?<p>Of course, the temporary files would be deleted immediately.
You can also find sample security rule compliance policies that different organizations have created. For example, University of California has theirs at <a href="http://www.universityofcalifornia.edu/hipaa/docs/security_guidelines.pdf" rel="nofollow">http://www.universityofcalifornia.edu/hipaa/docs/security_gu...</a>
You might want to look at some open source software like Open Clinica:<p><a href="http://www.openclinica.org/page.php?pid=97" rel="nofollow">http://www.openclinica.org/page.php?pid=97</a>