What are the database requirements for HIPAA compliance?
I'm using Ruby on Rails 4.2 with mySql for my HIPAA Compliance application and I need to know the technical database requirements for this application.
do we really need to encrypt all the database values such as patient name etc?
Answer
Yes You have to encrypt all the details(name, email, phone, address) related to patient and doctors if you want your Rails application to be HIPAA Compliance.
Here below 2 Ruby gems are very helpful for you.
attr_encrypted: https://github.com/shuber/attr_encrypted
paper_trail: https://github.com/airblade/paper_trail
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant.This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI) below:
Transport Encryption: Is always encrypted as it is transmitted over the Internet
Backup: Is never lost, i.e. should be backed up and can be recovered
Authorization: Is only accessible by authorized personnel using unique, audited access controls
Integrity: Is not tampered with or altered
Storage Encryption: Should be encrypted when it is being stored or archived
Disposal: Can be permanently disposed of when no longer needed
Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).