Ok I got the concept of HIPAA. Thanks to all those who participated. But anybody has real experience on how to setup the website and programming. I am trying to implement this with .NET. Is SSL Certificate enough to ensure the privacy of the information. This is the thing I am going to have webforms that are going to submit this info to the DB, also a document is going to be attached containing the medical history of the patient.
See "Is Your Web Site HIPAA Compliant?"
HIPAA requires that all protected health related information transmitted over public networks, such as the Internet, remain private and that steps be taken by health care providers to keep this information from being disclosed to the public. Protected health related information includes all clinical information such as medical history, lab results, pharmacy prescriptions, etc. Non-protected information includes items such as procedure costs or billing information. Since practice web sites provide for email correspondence from potential or current patients that may contain protected health information, practice web sites must be HIPAA compliant.
For the practice web site to meet the HIPAA requirements, it must include certain components. First, it should include the federal and state HIPAA guidelines and disclaimers. Second, it should provide the practice privacy notice, which, in turn, should define exactly what comprises protected private information and outline how and when this health information can be released, such as for purposes of billing a health insurance company or to communicate with a diagnostic testing facility (i.e. x-rays, MRIs, CAT scans, etc.). Thirdly, if the practice web site does not include a secure email network, it should provide an email privacy warning statement informing the patient that the email network is not secure and that private health related information should therefore not be sent over the network.
My advice is find a developer that knows how to make the site compliant since it will vary for each state and it is extremely complex.
You should also consult a lawyer, since they know (or able to find out) what HIPAA is and is not. As you can tell from the comments there is some debate.
Sure. Just don't leak an Protected Health Information to anyone who doesn't have a legitimate need to know it.
So if you don't have any patient data, you're already done.
If you do have patient data, my advice is hire an expert. The law is written such that you can be held personally liable for fines (not just your company, but you personally) after breaches if you haven't taken appropriate precautions.
I work in a hospital, so here's what I can offer: Hipaa protected info is any info that
- "[i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and
- "[r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."
The gist, and the big thing to keep in mind is that the lawmakers were actually smart on this one. HIPAA info involves things like SSN, address, name, insurance number, insurance provider, etc. But what you might not realize is that a lot more than just those can be personally identifying.
Saying "that guy from Boise with the brain tumor" is potentially identifiable as well. It provides you with a sex, location, and diagnosis and is pretty easy to tie to a person. Even saying "that person from Phoenix is [going to have to go]/[just went] for chemo" is potentially HIPAA info because it gives you PII.
Where you're clear in HIPAA is where you give that info for people who need it to do their job, or where it's free of INDIVIDUAL information. X hospital in phoenix saw Y chemo patients is fine, AFAIK.
Either way, when you're dealing with something like HIPAA, you really need to be consulting a lawyer, not a bunch of programmers.
Edit in response to your edit: storing HIPAA information is not in and of itself a violation of HIPAA. Hospitals do that all the time. Giving it out to those who do not need it is the violation.
If your plan is to store and distribute HIPAA info, then you need several things:
- Strong Authorization Protocols - you have to make sure only those who need it can get it
- Robust Security - self explanitory
- logs, logs, logs, and more logs. When regulators come knocking, you need to be able to verify every single time you handed out information, what information you handed out, who you handed information out to, and WHY they needed that information to do their job
To give an example, in our clinical information program, everyone down to our nurses and doctors are audited on who they pull data on, and what data they pull. If they pull data on any patient who is not one they are directly responsible for, there is a very good chance of the Spanish Inquisition.
Again, though, I urge you to consult a lawyer or at the very least have someone to very securely pin blame on so that you can be absolved if a violation does happen. HIPAA does have teeth.