views:

421

answers:

3

Ok I got the concept of HIPAA. Thanks to all those who participated. But anybody has real experience on how to setup the website and programming. I am trying to implement this with .NET. Is SSL Certificate enough to ensure the privacy of the information. This is the thing I am going to have webforms that are going to submit this info to the DB, also a document is going to be attached containing the medical history of the patient.

+1  A: 

See "Is Your Web Site HIPAA Compliant?"

HIPAA requires that all protected health related information transmitted over public networks, such as the Internet, remain private and that steps be taken by health care providers to keep this information from being disclosed to the public. Protected health related information includes all clinical information such as medical history, lab results, pharmacy prescriptions, etc. Non-protected information includes items such as procedure costs or billing information. Since practice web sites provide for email correspondence from potential or current patients that may contain protected health information, practice web sites must be HIPAA compliant.

For the practice web site to meet the HIPAA requirements, it must include certain components. First, it should include the federal and state HIPAA guidelines and disclaimers. Second, it should provide the practice privacy notice, which, in turn, should define exactly what comprises protected private information and outline how and when this health information can be released, such as for purposes of billing a health insurance company or to communicate with a diagnostic testing facility (i.e. x-rays, MRIs, CAT scans, etc.). Thirdly, if the practice web site does not include a secure email network, it should provide an email privacy warning statement informing the patient that the email network is not secure and that private health related information should therefore not be sent over the network.

My advice is find a developer that knows how to make the site compliant since it will vary for each state and it is extremely complex.

You should also consult a lawyer, since they know (or able to find out) what HIPAA is and is not. As you can tell from the comments there is some debate.

David Basarab
It was my understanding that HIPAA was a US Federal law, and thus does not vary from state to state.
John Saunders
US Federal laws don't vary from state to state, you're right. They vary from circuit to circuit, and I think there's nine circuits. (A "circuit" here is an area covered by a given Court of Appeals.) A decision by a Circuit Court is a binding precedent in that Circuit, but not in any other. Since laws are subject to interpretation, this means that Federal law is not in fact the same nationwide. It surprised me the first time I learned of it.
David Thornley
IANAL, but I'd believe you more readily if you had an example of some aspect of HIPAA that differs from one circuit to another.
John Saunders
@John: HIPAA defines some requirements that are left to states to implement.
Joel Coehoorn
@Joel: can you give an example or two, and would these requirements determine "compliance" for a web site?
John Saunders
I don't know of any aspect of HIPAA that varies, but an accountant I know once told me of her problems with varying Federal law on accounting practices. I'm just explaining why Federal law can vary from place to place.
David Thornley
For the practice web site to meet the HIPAA requirements, it must include certain components. First, it should include the federal and state HIPAA guidelines and disclaimers.
David Basarab
@David Basarab: to be honest, I ignored the disclaimer stuff as the most trivial part of HIPAA compliance. Congratulations if everything else in the site is complaint, and only disclaimers are not.
John Saunders
+1  A: 

Sure. Just don't leak an Protected Health Information to anyone who doesn't have a legitimate need to know it.

So if you don't have any patient data, you're already done.

If you do have patient data, my advice is hire an expert. The law is written such that you can be held personally liable for fines (not just your company, but you personally) after breaches if you haven't taken appropriate precautions.

Joel Coehoorn
+4  A: 

I work in a hospital, so here's what I can offer: Hipaa protected info is any info that

  1. "[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and
  2. "[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."

The gist, and the big thing to keep in mind is that the lawmakers were actually smart on this one. HIPAA info involves things like SSN, address, name, insurance number, insurance provider, etc. But what you might not realize is that a lot more than just those can be personally identifying.

Saying "that guy from Boise with the brain tumor" is potentially identifiable as well. It provides you with a sex, location, and diagnosis and is pretty easy to tie to a person. Even saying "that person from Phoenix is [going to have to go]/[just went] for chemo" is potentially HIPAA info because it gives you PII.

Where you're clear in HIPAA is where you give that info for people who need it to do their job, or where it's free of INDIVIDUAL information. X hospital in phoenix saw Y chemo patients is fine, AFAIK.

Either way, when you're dealing with something like HIPAA, you really need to be consulting a lawyer, not a bunch of programmers.

Edit in response to your edit: storing HIPAA information is not in and of itself a violation of HIPAA. Hospitals do that all the time. Giving it out to those who do not need it is the violation.

If your plan is to store and distribute HIPAA info, then you need several things:

  • Strong Authorization Protocols - you have to make sure only those who need it can get it
  • Robust Security - self explanitory
  • logs, logs, logs, and more logs. When regulators come knocking, you need to be able to verify every single time you handed out information, what information you handed out, who you handed information out to, and WHY they needed that information to do their job

To give an example, in our clinical information program, everyone down to our nurses and doctors are audited on who they pull data on, and what data they pull. If they pull data on any patient who is not one they are directly responsible for, there is a very good chance of the Spanish Inquisition.

Again, though, I urge you to consult a lawyer or at the very least have someone to very securely pin blame on so that you can be absolved if a violation does happen. HIPAA does have teeth.

Chris Sobolewski