Topic awaiting preservation: HIPAA Issue Storing Data $Pages that link to <a href="https://ozoneasylum.com/backlink?for=26804" title="Pages that link to Topic awaiting preservation: HIPAA Issue Storing Data" rel="nofollow" >Topic awaiting preservation: HIPAA Issue Storing Data\$

Author	Thread
WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 10-06-2005 23:34 Does anyone have knowledge about storing medical data in the US? I am thinking of providing a service of storing medical data, in an encrypted format. The client would send me information, I would store that information, create backups, and they could request their data and decrypt it. Are there any special issues I would need to watch out for? Is this even allowed? Dan @ Code Town
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 10-07-2005 02:47 is what allowed? To store the data? Sure. There is a company that is close to where I live that does this kind of thing. Pretty nifty system really. We sell some software that can be tailored to the needs of HIPAA pretty well. There really isn't much in the way on what they want as far as the stored data. Just that it has to be behind a firewall, if it is going to be accessed via the web then it has to be done via a VPN. I might be able to pull some documentation on what the HIPAA requirements are for stored data off site if it would help. A client of ours might have some or a google search should pull some good stuff too. One thing that has to be done with the software for view is this : quote: Software must be sufficiently ?intelligent? that its display of information may be based on the user or the terminal location. I know this is one of the MAJOR things they require for the software. and then there is this: quote: If the database is hosted outside the clinical practice or institution, the host site must be HIPAA compliant and a business associate agreement must be completed to extend responsibility for availability, security and safety of database to the hosting site. Later, C:\ (Edited by CPrompt on 10-07-2005 02:54)
WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 10-07-2005 16:31 For a web base application would you need to use ssl? or is this not enough? For a little more information. I have an RMS that is a swing application that would be installed at the client site. Just a simple records tracking system. I did not have to worry about the data because the clients would control all of that on a DB local to their PC. I want to make this a hosted application, HTTP application, and I am not sure what kinds of issues I can run into. All of my googling has got me is a bunch of solutions that offer hipaa compliance, but not all that much information on the specifics. I have spoken with some people in the industry, and they tell me that even the people totally versed on hipaa don't understand a lot of it. Dan @ Code Town
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 10-07-2005 21:38 quote: I have spoken with some people in the industry, and they tell me that even the people totally versed on hipaa don't understand a lot of it. Yeah...that is what you are going to run into I am afraid. The main thing that is going to have to happen with the app is that certain people can do certain things with the info. Some can only view, some can view and enter information, some can do nothing. User groups kind of thing and then assign users to the groups. As far as the security I would figure that SSL would be enough. They are never real clear on how secure it has to be. Only that if the data is stored off site....you are responisble for any data loss and security breaches. I will contact my client about the info right now while I'm thinking about it. Later, C:\
CPrompt Maniac (V) Inmate From: there...no..there..... Insane since: May 2001	posted 10-07-2005 22:58 well it seems that they are not REAL clear on the issue for HIPAA. Besides the stuff that I mentioned, the only other thing is, is that the images have to be password protected and if anyone views them, they have to be logged. So it has to say that user1 viewed x.pdf y.pdf z.pdf on 10.06.05 kind of thing. Other than that, they don't really have much more. Later, C:\
Pugzly Paranoid (IV) Inmate From: 127.0.0.1 Insane since: Apr 2000	posted 10-08-2005 05:40 One thing that's concerning a lot of IT people (including myself) about HIPPA is who can have access to the data. Only those who need to view the information as part of the medical needs can view it. But others (including those who might be in a superior position) cannot. For instance: a doctor or care giver can view/access the info, but their boss, who might be just a figure head, cannot. There is a lot of speculation that IT people can be prosecuted for providing access to those people who should not have access. I read an article in a lawyers magazine lately that said it's only a matter of time before an IT person, who provides access to data because a superior demands it, is jailed for doing so.
WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 10-11-2005 13:18 Thank you for all of the information. This is pretty helpful, and a bit scary. Dan @ Code Town

Topic awaiting preservation: HIPAA Issue Storing Data\$

Author

Thread

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 10-06-2005 23:34

Does anyone have knowledge about storing medical data in the US?

I am thinking of providing a service of storing medical data, in an encrypted format.

The client would send me information, I would store that information, create backups, and they could request their data and decrypt it.

Are there any special issues I would need to watch out for? Is this even allowed?

Dan @ Code Town

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 10-07-2005 02:47

is what allowed? To store the data? Sure. There is a company that is close to where I live that does this kind of thing. Pretty nifty system really. We sell some software that can be tailored to the needs of HIPAA pretty well.

There really isn't much in the way on what they want as far as the stored data. Just that it has to be behind a firewall, if it is going to be accessed via the web then it has to be done via a VPN. I might be able to pull some documentation on what the HIPAA requirements are for stored data off site if it would help. A client of ours might have some or a google search should pull some good stuff too.

One thing that *has* to be done with the software for view is this :

quote:

Software must be sufficiently ?intelligent? that its display of information may be based on the user or the terminal location.

I know this is one of the MAJOR things they require for the software.

and then there is this:

quote:

If the database is hosted outside the clinical practice or institution, the host site must be HIPAA compliant and a business associate agreement must be completed to extend responsibility for availability, security and safety of database to the hosting site.

Later,

C:\

(Edited by CPrompt on 10-07-2005 02:54)

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 10-07-2005 16:31

For a web base application would you need to use ssl? or is this not enough?

For a little more information. I have an RMS that is a swing application that would be installed at the client site. Just a simple records tracking system. I did not have to worry about the data because the clients would control all of that on a DB local to their PC.

I want to make this a hosted application, HTTP application, and I am not sure what kinds of issues I can run into. All of my googling has got me is a bunch of solutions that offer hipaa compliance, but not all that much information on the specifics.

I have spoken with some people in the industry, and they tell me that even the people totally versed on hipaa don't understand a lot of it.

Dan @ Code Town

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 10-07-2005 21:38

quote:

I have spoken with some people in the industry, and they tell me that even the people totally versed on hipaa don't understand a lot of it.

Yeah...that is what you are going to run into I am afraid.

The main thing that is going to have to happen with the app is that certain people can do certain things with the info. Some can only view, some can view and enter information, some can do nothing. User groups kind of thing and then assign users to the groups.

As far as the security I would figure that SSL would be enough. They are never real clear on how secure it has to be. Only that if the data is stored off site....you are responisble for any data loss and security breaches.

I will contact my client about the info right now while I'm thinking about it.

Later,

C:\

CPrompt
Maniac (V) Inmate

From: there...no..there.....
Insane since: May 2001

posted 10-07-2005 22:58

well it seems that they are not REAL clear on the issue for HIPAA. Besides the stuff that I mentioned, the only other thing is, is that the images have to be password protected and if anyone views them, they have to be logged.

So it has to say that user1 viewed x.pdf y.pdf z.pdf on 10.06.05 kind of thing.

Other than that, they don't really have much more.

Later,

C:\

Pugzly
Paranoid (IV) Inmate

From: 127.0.0.1
Insane since: Apr 2000

posted 10-08-2005 05:40

One thing that's concerning a lot of IT people (including myself) about HIPPA is who can have access to the data. Only those who need to view the information as part of the medical needs can view it. But others (including those who might be in a superior position) cannot. For instance: a doctor or care giver can view/access the info, but their boss, who might be just a figure head, cannot.

There is a lot of speculation that IT people can be prosecuted for providing access to those people who should not have access. I read an article in a lawyers magazine lately that said it's only a matter of time before an IT person, who provides access to data because a superior demands it, is jailed for doing so.

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 10-11-2005 13:18

Thank you for all of the information.

This is pretty helpful, and a bit scary.

Dan @ Code Town