Results 1 to 11 of 11
  1. #1

    HIPAA hosting question: patient files?

    We have a dedicated server for a website that contains patient information (the website therefore needs to be HIPAA compliant).

    One compliance issue I'm having however is what to do with the server directory that stores patient files. Basically, the website admin needs to upload a patient PDF to the website, however, these files are currently simply stored in a basic folder on the server. Which means I can simply log onto the server (I'm the "network admin"), open the folder and view any patient file I wish. I'm assuming this violates HIPAA compliance. To prevent this, I've asked the web admin to instead upload password protected zipped files for now.

    So, my question is, is there any alternative to zipping these files? I mean, is there something a can do on the server to lock it down so nobody, not even myself, can check out the contents of that directory?

    Thanks.

    -Goalie35
      0 Not allowed!

  2. #2
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,955
    Quote Originally Posted by Goalie35 View Post
    We have a dedicated server for a website that contains patient information (the website therefore needs to be HIPAA compliant).

    One compliance issue I'm having however is what to do with the server directory that stores patient files. Basically, the website admin needs to upload a patient PDF to the website, however, these files are currently simply stored in a basic folder on the server. Which means I can simply log onto the server (I'm the "network admin"), open the folder and view any patient file I wish. I'm assuming this violates HIPAA compliance. To prevent this, I've asked the web admin to instead upload password protected zipped files for now.

    So, my question is, is there any alternative to zipping these files? I mean, is there something a can do on the server to lock it down so nobody, not even myself, can check out the contents of that directory?

    Thanks.

    -Goalie35
    It's been a while, and our HIPAA auditors would know better, but I don't think you can have patient files on a publicly accessible server. You should address that issue first.



    Kind Regards,
      0 Not allowed!

  3. #3
    Join Date
    Jan 2005
    Posts
    326
    I would like to know who this website is for that is storing patient files on a web server that is on the internet.
    And people wonder how information about them gets released. pfff
    http://www.privacyrights.org/ar/ChronDataBreaches.htm
    Charles
      0 Not allowed!

  4. #4
    Neosmith, it's a small medical company. In total, they probably upload about 5 patient files per week. These files can then be downloaded by the patients' physicians. The site is currently still in development however.

    This is my first HIPAA application. I've researched a great deal about HIPAA compliant websites and I've setup the site as secure as I can however there's still a couple of items I need to correct (such as this one).

    So I would greatly appreciate any links or recomendations on how to go about setting up this directory.

    Thanks again.

    -Goalie35
    Last edited by Goalie35; 02-09-2008 at 07:40 PM.
      0 Not allowed!

  5. #5
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,955
    You need to work with a company that has experience with HIPAA regulations. We contract a HIPAA auditor just for such clients. It's not as simple as using passwords on some files...



    Regards,
      0 Not allowed!

  6. #6
    Join Date
    Mar 2005
    Location
    In a petri dish
    Posts
    23

    *

    So much for the Privacy part of HIPAA...
      0 Not allowed!

  7. #7
    Join Date
    Dec 2007
    Posts
    271
    Yeah.. I work for a very large insurance company and I happen to be in Risk and Compliance.

    You can transmit PHI over the internet provided it is encrypted (SSL) However storing it on a public web server is a big no-no.

    Think of it like this.. You can have a front facing webserver but uploads need to be done using sftp or https. But you need to store these files somewhere else. You can have a front facing website but your application and data layers can not be accessed from the internet.

    In short it can be done. But it is not cheap or easy. Password protected PDF files will only pass if they are being e-mailed using additional encryption.
      0 Not allowed!

  8. #8
    Join Date
    Jan 2003
    Location
    Texas, where else?
    Posts
    1,571

    Cool

    All I can say is my wife works in the medical field. The company she works for provided all employees with computers in late 2006 (laptops) with a special highly encrypted program on it. The only thing it could "login" to was the company server which was set up by a private firm that specialized in all this (and the compliance). She could see only files that directly related to her work with her patients (not other peoples patients and not their complete medical files, only what would be needed for her job description).

    3 months ago the company returned all the computers and went back to paper (a HUGE time waster, tons of paperwork and having to ask another caregiver for the information she could simply access by computer when they had them)
    The problem was this was one of only a handful of companies that provided this service with all the necessary encryption and HIPPA compliance. Once they were all "up and running" they started raising the cost almost monthly and soon her company was priced out of the service.
    I don't know any more than that about it but they were highly specialized. All data was stored on their servers with uploads very highly encrypted from my wife's computer to the company's server then to the provider's system to maintain HIPPA compliance. (And nothing "left" on the "office" servers so if somebody broke into the server closet and stole one it would be empty of those files)

    There was no way her company could ever set up such a system on their own so it was pay the ever-rising price or use old-fashioned paper files. Of course with paper there has to be a degree of tryst than one employee will never look in someone else's file in an unlocked cabinet but...

    I can't imagine how you would have to secure everything with a system like they had (sounds like what you need, only the right people can see the right files) and it was all highly encrypted...then that company had to meet inspections by some agency to make sure it was all as secure as it was supposed to be. (And the computer's like my wife's laptop could only connect to their system. The browsers that must have come installed on the PC's simply didn't work. No Internet access at all except the transfer from her company's offices to the home office, then to the provider.)

    I know this doesn't help, but I'd hate to be in your shoes. However I do know there are companies that will set all of it up for you...for a VERY handsome price!
    New Idea Hosting NO Overselling-Business-Grade, Shared Only! New-In House Design Team.
    High Speed & Uptime; , DIY Pro-Site Builder-Daily Backups-Custom Plans, All Dual Xeon Quad Intel servers w/ ECC DDR3 RAM SCSI RAID minimums.
    We Concentrate on Shared Hosting ...doing one thing and doing it VERY well
      0 Not allowed!

  9. #9
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,955
    Quote Originally Posted by DDT View Post

    I know this doesn't help, but I'd hate to be in your shoes. However I do know there are companies that will set all of it up for you...for a VERY handsome price!
    The last HIPAA application we wrote cost 6 figures - a large part of that was to 1099 the compliance officers.



    Best of luck to the OP.



    Regards,
      0 Not allowed!

  10. #10
    I can't speak to the specific HIPAA requirements, but look at public key encryption for those files. This will have a steep learning curve for the sender/receiver, but so long as they only encrypt with the receiving physician's public key, no one else but the sender/receiver will be able to decrypt the files. AES encryption should satisfy HIPAA as it's good enough for the DoD.

    Sounds like you could use some solid legal advice from a lawyer educated in these matters as well.

    Good luck.
      0 Not allowed!

  11. #11
    Join Date
    Jul 2006
    Location
    Detroit, MI
    Posts
    1,955
    Quote Originally Posted by 2synapses View Post
    I can't speak to the specific HIPAA requirements, but look at public key encryption for those files. This will have a steep learning curve for the sender/receiver, but so long as they only encrypt with the receiving physician's public key, no one else but the sender/receiver will be able to decrypt the files. AES encryption should satisfy HIPAA as it's good enough for the DoD.

    Sounds like you could use some solid legal advice from a lawyer educated in these matters as well.

    Good luck.
    Encryption is such a minuscule part of HIPAA that it's not even worth mentioning IMO. HIPAA is more about the setup and processes surrounding the files then it is the technology. I can speak authoritatively on this matter: the OP needs an independent auditor.



    Regards,
      0 Not allowed!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •