tags:

views:

353

answers:

3
+8  Q: 

Membership Providers and HIPAA Compliance

Does anyone know if the provided SQL and Active Directory Membership Providers in ASP.NET 2.0+ are HIPAA compliant?

Clarification:

I understand that HIPAA mandates patient information be secured and that certain policies be put in place to secure access to that information. Can Microsoft's SQL and AD Membership Providers be used for handling the authentication of users accessing this information? I expect there to be some policies that need to be established like password length and complexity but is there anything inherit about the way they store information that would invalidate them for the purposes of authorization? Any gotchas or things to look out for?

+1  A: 

It depends on what you want to do with them, but in short, yes. HIPAA is all about standards for securing your data; the standards aren't particularly harsh, so long as you have a way in place to provide for security. In that way, it's a lot like ISO 9001; so long as you define a security policy and stick with it, you're okay. The mentioned providers are effectively tools.

That said, you may need to do some additional things with your data to assure that it's only clearly accessible from your application; some level of pre-encryption would probably be appropriate. Just understand that it probably doesn't need to be HEAVY encryption; very light would do, so long as you're consistent with the application of it.

McWafflestix  2009-07-30 17:26:39
HIPAA *is* more about how you secure/protect your data then what you use to do it. As long as the data is protected, and only accessible by those who are allowed to access it you are okay.
Brettski  2009-08-03 02:38:56
A: 

I'd say that out of the box, it is not HIPAA compliant.

The way to find out would be to create a new Web Application, with just a default.aspx and maybe a login page. Then click the "ASP.NET Configuration" tool in the Solution Explorer toolbar to launch the configuration application (you can also do this from IIS if your site is hosted there). Set up the defaults, choosing to use the AspNetSqlProvider for all features.

This will create an ASPNETDB.MDF in your App_Data folder. Right-click it and choose "Open". This will open it in Server Explorer, where you can look at all the tables that were created.

You'll find that the password is stored hashed in the aspnet_Membership table, instead of as plain text. That's a good thing. However, the email address is also stored in the clear. If I remember my HIPAA training from four years ago, that's PII, and should at least pretend to be special. As it is, anyone with access to the database could find the email address of any member.

Edit based on update:

If you're only talking about using them for authentication and authorization, I'd say you're ok. You will need to ignore the email address.

John Saunders  2009-07-30 17:40:46
You can use a custom provider to get around the email address issue.
rboarman  2010-07-11 21:03:10
A: 

I sure hope it is;) We currently use the 2.0 Membership Provider with an ADAM LDAP at the health insurance company that I work for. HIPAA and PHI are the name of the game here and this set up went through our legal department.

vonfeldj  2009-07-30 20:11:22

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?