What are the database requirements for HIPAA compliance?

Nitesh picture Nitesh · Apr 19, 2016 · Viewed 8.1k times · Source

I'm using Ruby on Rails 4.2 with mySql for my HIPAA Compliance application and I need to know the technical database requirements for this application.

do we really need to encrypt all the database values such as patient name etc?

Answer

Anil Kumar picture Anil Kumar · Apr 19, 2016

Yes You have to encrypt all the details(name, email, phone, address) related to patient and doctors if you want your Rails application to be HIPAA Compliance.

Here below 2 Ruby gems are very helpful for you.

attr_encrypted: https://github.com/shuber/attr_encrypted

paper_trail: https://github.com/airblade/paper_trail

HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant.This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI) below:

Transport Encryption: Is always encrypted as it is transmitted over the Internet

Backup: Is never lost, i.e. should be backed up and can be recovered

Authorization: Is only accessible by authorized personnel using unique, audited access controls

Integrity: Is not tampered with or altered

Storage Encryption: Should be encrypted when it is being stored or archived

Disposal: Can be permanently disposed of when no longer needed

Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).