March 25, 2010 at 10:38 am
Hello,
I am designing a website with sql backend, and the client wants to keep their patients data online. Since the database will be hosted on a 3rd party site, I have to encrypt sensitive data at the webserver application before storing it to the db. If anyone has any experience with this, I have a few questions:
-A group (let's call them therapists) should be the only ones to access the health related data (i.e. SOAP notes, medical history, etc). Each therapist can access other therapists files. For this, i'm guessing that there would be 2 entities and I'm trying to figure out which ones need to be encrypted
Client (Name, address, login, password, phone, gender, etc)
ClientVisit (ClientID, date, chief complaint, SOAP notes, etc)
Should I encrypt clientvisit, and leave client unencrypted? Vice Versa? Or both?
Also, I am new to effective security protocols; this is a small business, but I am guessing after a certain point encryption keys need to be changed, and updated every x number of months. Anyone know how to go about doing this, while still having access to historical data? If anyone has a book or an article that they can point me to, it would be much appreciated...
-GP
March 29, 2010 at 11:34 am
Client name, address, phone and gender are also protected items.
Under your design you would need to encrypt the client table as well.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 29, 2010 at 12:01 pm
HIPAA actually has very little to do with encryption on the DB side. It's more with tracking who is accessing what, and whether they have permissions. It's more important to design your screens and timeouts correctly in the UI (so that no identifiable info is easily accessible); also - no using PHI in FK's. When someone does make a request to access PHI, then you make sure that you log that (and that's data that should be encrypted and locked down, more so than even the PHI itself): who what, and under what HIPAA rule are they allowed/disallowed from seeing the data.
Just be careful that you won't be able to index correctly on encrypted data, unless you use TDE (which isn't really encryption on the app layer at all).
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
March 30, 2010 at 6:54 am
It sounds to me like you need to find a lawyer or consultant that specializes in healthcare security. I work in the healthcare field and we even get misinformation from our clients so I wouldn't take any post on a forum as good legal backing should you need to defend how you designed something. Additionally, HIPPA (which as Matt pointed out is mainly about tracking who accessed information) isn't the only thing in play. Do you need to be CCHIT certified? What about any of the new regulations coming out? I have heard that one of them does require that the client be offered the option that patient information is encrypted where it's stored.
March 30, 2010 at 11:54 am
cfradenburg (3/30/2010)
It sounds to me like you need to find a lawyer or consultant that specializes in healthcare security. I work in the healthcare field and we even get misinformation from our clients so I wouldn't take any post on a forum as good legal backing should you need to defend how you designed something. Additionally, HIPPA (which as Matt pointed out is mainly about tracking who accessed information) isn't the only thing in play. Do you need to be CCHIT certified? What about any of the new regulations coming out? I have heard that one of them does require that the client be offered the option that patient information is encrypted where it's stored.
Solid advice.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 30, 2010 at 12:47 pm
Which isn't to say this is a bad place to come once you figure out what needs to be done. I wish I could answer your question about encryption keys changing but I haven't had to deal with that at all. This being a SQL forum you'll be more likely to get an answer if you're doing the encryption SQL side but there are probably people that can at least give you a pointer either way.
March 30, 2010 at 2:18 pm
Matt Miller (#4) (3/29/2010)
HIPAA actually has very little to do with encryption on the DB side. It's more with tracking who is accessing what, and whether they have permissions. It's more important to design your screens and timeouts correctly in the UI (so that no identifiable info is easily accessible); also - no using PHI in FK's. When someone does make a request to access PHI, then you make sure that you log that (and that's data that should be encrypted and locked down, more so than even the PHI itself): who what, and under what HIPAA rule are they allowed/disallowed from seeing the data.Just be careful that you won't be able to index correctly on encrypted data, unless you use TDE (which isn't really encryption on the app layer at all).
But remember that TDE is an Enterprise Edition feature.
March 31, 2010 at 7:56 am
Welcome to health care.
Do hire a reputable and fully up to date legal and regulatory compliance expert (or two). The penalties for noncompliance can be very serious.
Do consult the HITECH Act and other regulatory guidance as well as HIPAA.
Some purely technical teasers, not even getting into breach notification and other entertaining areas:
74 F.R. 19006 to 19010 (Pages 19009 and 19010 in particular)
and the related:
NIST SP800-52 (Section 4.2, first paragraph, and Section 5.2 Table 3)
Mention particularly to your consultant expert that you may be storing PHI on a third party system (offsite database), and allowing health providers to see data collected by a different health provider.
Health care, like finance, has very deep waters; it's easy to drown if you just jump in.
May 31, 2010 at 6:44 am
Hipaa has very strict privacy laws, so it's better to go for encryption. However if you have any doubts regarding compliance with 5010 Hipaa standards then you can consult with Edifecs. They offer online services and consulting for hipaa testing and certification.
March 9, 2011 at 3:16 pm
Hello
Id like to add that even tho HIPPA may not require you to encrypt your database at rest, it does require you to notify EVERY person in that database and make a press release and to notify FDA etc.. if that data is miss placed or stollen if it is not encrypted.
If it is encrypted at rest then you dont need to notify under some instances. These are things you need to consider
in terms of the data PHI (primary health information) MUST not be identifiable to the patient. this goes for name, date of birth, city, serial numbers so its basically every bit of data you collect about them.
it is a VERY VERY complex set of laws and you need to consult a lawyer as the potential liability are severe not only monetary but financially
also at rest encryption means if some one copies the database, backups, rips out the drive etc.. that the data is unusable. disk based encryption isn't enough
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply