Lets face it, the time is here, the first thing doctors and practitioners want to do with their brand new web systems is:

• Register patients via a website or a web portal
• Schedule in office appointments
• Diagnose situations and make medical recommendations quickly
• Access digital prescriptions

Securing the transmission of the information from the patient to the Web Site is fairly simple(it’s #1 — use web site secured with SSL).  However, what do you do with that information? Some basic options are:

1. Store files on a web server and download later, this is old and not recommended, although when talking about PACS systems, this is necessary.
2. Store the data in a database, and access the information using tools like BIRT or consume the data via web services.
3. Email the information

The third option, Email it to someone, is the most utilized choice because it is the easiest and requires the least additional software or infrastructure… everyone is already checking their email.  It also opens a whole can of worms in terms of “how do you make the email component meet HIPAA?”

1. Storing the data in files requires that

• The web site encrypt the files using vetted encryption methods
• Downloads are made over a secure channel (i.e. Secure FTP – HIPAA Locker)
• Both parties are included in a chain of tracking emails which verify the state of the file transfer.
• Backup and trashing of any information is automated and verified by using system logs.

2. Storing the data in a Database allows you to write software for remote access and management of that information, however

• Transmission to and from the database needs to be secured using SSL
• The software that provides management must be secure and meet HIPAA requirements in terms of access controls and auditing.
• Encryption keys and database secure storage is also an issue which must be addressed.  Even though transmissions are encrypted, the storage might not be and is a high risk area for information leaks.

The first option is quite simple, but requires more technical knowledge on the part of the users and leaves a gaping hole as the end user has no way of tracking the disposal of the information.

The second option is how web applications are making their way into medical practices.  Centralized data repositories allow for Agile development methods to be utilized in order to design, develop and deploy complex database driven applications.

However, option 2 is technically complex requires more cost and effort to implement properly.  Web services and API’s are basic building blocks of mobile applications, but require advanced knowledge in order to properly utilize in commercial applications.

Option 3 is easy, but how do you make the email HIPAA compliant?  Well, this is a complex and costly topic, this is why we recommend using a web based Large File Transfer system, which is Hipaa Compliant.

Securing data from your website

Below are the basic considerations to take when securing data from your website:

• The data sent is encrypted using modern encryption techniques.
• The data is not stored in a database which is not encrypted
• The recipients receive the information, and the data is removed from the server
• The recipients can access these messages securely (over SSL) and decrypt the data either in their email program or on a Web-based interface that supports decryption.
• The provider handles backups and disaster recovery
• Deleted messages expire from backup systems after a while.

Make your Web Forms HIPAA compliant Quickly

Skysoft’s Secure Forms service allows you to collect data from your web forms and deliver it to you via email, secure FTP, or database in a way that is both automatically HIPAA compliant and does not require any programming on your part:

• We will acquire, certify and install the SSL for your web site so that transmissions are secured.
• We will integrate your web forms with any system which provides an API into their environment.
• We provide all of the web mechanisms in order to control and manage your dashboard.

The post HIPAA Compliance in technical terms appeared first on Skysoft Incorporated.