At a very high level, there are two parts to HIPAA, the Privacy Rule and Security Rule.
The Privacy Rule will address considerations related to displaying PHI for clinician's use or any disclosure of PII/PHI. In general, if the patient agrees to disclosure and/or sharing information is required to provide the service, then it appears to be OK.
Storage location and other technical aspects will be addressed through the Security Rule's Administrative, Physical and Technical standards. These standards do not specify where data can and cannot be stored, but provide various requirements that must be met or addressed to ensure data confidentiality, integrity and availability.
Some companies are very conservative and will not consider storing any data outside of their control, while others, and increasing number of companies use third party data center and cloud services, for example, Windows Azure, Amazon AMS, etc.
------------------------------
Michael Zagorski RAC
Pittsburgh PA
Original Message:
Sent: 07-Oct-2016 07:15
From: Karen Bannick
Subject: HIPAA Compliant database
Good morning everyone. I'm working with a client who is developing a drug dosing software system. I am looking for guidance on design of their database to ensure compliance with HIPAA. How are others implementing this? Do you store the PHI in a separate database? Do you use a third party storage system? Can they display the PHI on the software screen for the clinician's use in patient care? Would love a reference to an expert who might advise.
Regards,
------------------------------
Karen Bannick MA, RAC, FRAPS
Principal & Founder
Bannick Consulting LLC
karen@bannickconsulting.com
------------------------------