

Ask HN: HIPAA compliance? - justinph

I'm sketching out some plans for a project that would deal with medical data. From what I understand reading HIPAA, I would be subject to all the guidelines as an outside entity or 'healthcare clearinghouse'. Does anyone have any experience making a webapp HIPAA compliant?<p>The regulations and potential liabilities, while understandable from a patient perspective, seem daunting for a startup to tackle.
======
JangoSteve
I have helped build a HIPPA-compliant startup before. This particular startup
was one which helped doctor's offices do automated scheduled appointment
reminders. There is a lot to consider, but I wouldn't have called it
"daunting". In fact, a lot of it that you should really consider doing anyway,
if you're going to have any sort of sensitive data stored.

For one, you won't want to host the app on a standard VPS or cloud service.
You'll either want a well-locked-down dedicated server, or to go with a
hosting company that specializes in secure servers. We used
<http://www.secure-24.com/> for the web app I built. It was a huge pain in the
ass, as we had to get special permission from the host everytime we wanted to
install a ruby gem, and it usually took them at least an hour to get back to
us.

Of course, you'll also want to make the entire site encrypted (a good practice
anyway for any site with a login), and keep the database well locked-down.

The most difficult part for this app, though, was re-thinking some of the most
common practices in web apps, such as the password reset. HIPPA-compliance
says that, for example, a 16-year-old girl going to the gynecologist has a
right to privacy from her parents, such that they should be able to know
nothing about it. But some families monitor their children's email. So, if the
girl belongs to a doctor's office, and they tell her to go to the site to
manage her appointments, but then she forgets her password, we can't just
automatically send the password reset to her email.

Likewise, be careful of things like what the failed login message says. If it
indicates that the email does indeed exist, but that the password is wrong,
that's not good, as it gives the user (who may or may not own that email
address) _some_ info about the person who owns that email: that they do have
an account on your site.

One other thing is, you have to have a unique identifier for each person, a
really unique identifier. At first, we were going to go with social security
number, but you'd be surprised how _un-unique_ that actually is. Aside from
the fact that a lot of people in the US don't have an SSN, there are also
duplicates from illegal immigrants and other people who obtained their number
by some illegal means. I don't recall where, but there was some study done
that showed that cell-phone number is much closer to being able to identify
people 1:1 than SSN in the US.

Anyway, those are the things I can remember off the top of my head, it was a
few years ago. I hope it helps. Just whatever you do, don't make it harder
than it is, and skimp on any of the rules, this stuff is important and exists
for a reason.

------
privacyguru
Justin, dealing with HIPAA can be daunting, especially when it's not your
primary function in terms of dealing with security and compliance issues that
are constantly changing. There are a few companies that can help ensure your
app is HIPAA compliant. There are also hosting providers like Firehost that
offer HIPAA compliance ready hosting that may help as well.
<http://www.firehost.com/secure-hosting/hipaa>

