I started doing a little research about HIPAA compliance and what it takes to make office forms/database secure and compliant with HIPAA.
- Need various consent statement wordings and access to your privacy practices handout, etc. — rather trivial
- HTTPS/SSL urls when user is entering any of their information, redirect to secure URL if trying to access insecurely — I haven’t done this before, but it does not look like it would be terribly complicated or difficult to implement
- database encryption – the user’s personal data needs to be encrypted while stored so that it can’t be accessed by unauthorized persons or hackers. — Smaller businesses have more leeway than a big corporation since there is less data/risk. MySQL does have some built in column level encryption methods, but those seem to be mostly aimed at preventing passwords from being stored in clear text rather than preventing a query from mistakenly bringing up the wrong user’s private records when they go to log in and preventing someone who works for the hosting company or whatever from tampering with user’s data. This is not my area of specialty, may want to consult with an expert. The solution itself is likely to be trivial or relatively easy to implement, knowing what to implement is the hard part.
- Backups – there’s kind of debate it seems about whether hosting company backups are sufficient. The scale of the business may matter as far as the answer here, but should look into what the backup policies are for the web host.
- Permanently expunging data that is no longer needed – Mostly, this is handled by not storing data you don’t need to store in the first place. You may want to think about whether this would entail a mechanism to be able to delete an entire person’s record, or whether deleting the database when it’s no longer needed is sufficient.
- Hosting company should have an information security policy – basically, the hosting company should have a policy about how information is backed up and who is allowed access to the data on your server. nothing exciting here (unless you were using some fly by night hosting company that isn’t professional).
- “authentication and non-repudiation of users” – username and “secure” password (eg: 8+ characters) should be used to verify the user is who they say they are, and that they are authorized to access their own data.