Regulatory Open Forum

 View Only

  • 1.  HIPAA Compliant database

    Posted 07-Oct-2016 07:15

    Good morning everyone.  I'm working with a client who is developing a drug dosing software system.  I am looking for guidance on design of their database to ensure compliance with HIPAA.  How are others implementing this?  Do you store the PHI in a separate database?  Do you use a third party storage system? Can they display the PHI on the software screen for the clinician's use in patient care?  Would love a reference to an expert who might advise.

    Regards,

    ------------------------------
    Karen Bannick MA, RAC, FRAPS
    Principal & Founder
    Bannick Consulting LLC
    karen@bannickconsulting.com
    ------------------------------


  • 2.  RE: HIPAA Compliant database

    Posted 19-Oct-2016 21:21

    At a very high level, there are two parts to HIPAA, the Privacy Rule and Security Rule.

    The Privacy Rule will address considerations related to displaying PHI for clinician's use or any disclosure of PII/PHI. In general, if the patient agrees to disclosure and/or sharing information is required to provide the service, then it appears to be OK.

    Storage location and other technical aspects will be addressed through the Security Rule's Administrative, Physical and Technical standards. These standards do not specify where data can and cannot be stored, but provide various requirements that must be met or addressed to ensure  data confidentiality, integrity and availability.

    Some companies are very conservative and will not consider storing any data outside of their control, while others, and increasing number of companies use third party data center and cloud services, for example, Windows Azure, Amazon AMS, etc.

    ------------------------------
    Michael Zagorski RAC
    Pittsburgh PA

    Original Message


  • 3.  RE: HIPAA Compliant database

    Posted 20-Oct-2016 08:03

    Karen,

    Will this only be used in the US? If not, you will have to consider other countries privacy issues for storage

    EU data privacy requirements have increased significantly with the new Privacy Directive. For example,  Like Las Vegas, what is generated in France stays in France (data server must be located in France).

    So just be sure you are considering that part of the picture too.  In the US, Your client could be looking at AAMI HF57, and IEC TIR 80002-1 for starters and do some research around use or certification to ISO 27001 potentially.

    Good luck,

    Ginger Cantor, MBA, RAC
    Centaur Consulting LLC centaurconsultingllc@gmail.com




    Original Message


  • 4.  RE: HIPAA Compliant database

    Posted 20-Oct-2016 09:16

    The new General Data Protection Regulation (GDPR) that entered into force on May 26, 2016, replaces the Data Protection Directive 95/46/EC.

    The new regulations, however, does not prevent from data transfer outside of EU, though the requirements to ensure adequate data protection are more stringent.

    France is a special case in that they have some of the most stringent requirements in EU, and it's generally easier to set-up a local data center in France rather than obtaining their approval to transfer. Data Controllers are required to obtain an approval from DPA prior to transferring data outside.

    ------------------------------
    Michael Zagorski RAC
    Pittsburgh PA

    Original Message