mahealth wrote on Saturday, September 14, 2013:
We have servers set up in a HIPAA compliant datacentre, meaning that we do not have to worry about the finite detail as all the auditing, reviewing, testing, etc are done by the datacentre staff themselves, leaving us free to concentrate on other matters.
The basis requirements are:
HIPAA is an unusual law in that it makes a lot of recommendations (addressable items) and a few assertions (required items), but in the end it is up to each organization to determine for themselves what they need to do to be compliant. This creates a great deal of flexibility and also a great deal of uncertainty. In general, to be HIPAA-compliant, a web site must at a minimum ensure that all protected health information (ePHI):
*Transport Encryption: Is always encrypted as it is transmitted over the Internet
*Backup: Is never lost, i.e. should be backed up and can be recovered
*Authorization: Is only accessible by authorized personnel using unique, audited access controls
*Integrity: Is not tampered with or altered
*Storage Encryption: Should be encrypted when it is being stored or archived
*Disposal: Can be permanently disposed of when no longer needed
*Omnibus/HITECH: Is located on the web servers of a company with whom you have a HIPAA Business Associate Agreement (or it is hosted in house and those servers are properly secured per the HIPAA security rule requirements).