| HIPAA compliance is no joke. Take a look at documentation provided by the Joint Commission (JCAHO) which certifies hospitals and CCHIT for generalized standards (no one ring to bind them all in terms of compliance for software), also HIPAA.org. You may want to review the CMS HIPAA checklist (http://www.cms.gov/hipaa/). As a best practice, I've seen basic "PHI" or personal health information (identifying info like name, Bday, sex, SSN) encrypted, but this is not 'required.' Some programmers/sites go further and encrypt everything, as stated by others below. Careful with the email transmission; various legal concerns (and some regulatory standard interpretations) mean most 'sites' keep this info on LANs or HISs or perhaps on web hosted sites. Take a look at Kaiser's KPConnect PHR portal, which is powered by Epic, as an example. You can dig up plenty of stuff about that system on Google. Generic presentation of concerns, but worth a quick skimming: http://npag.org/NPAG_images/NPAG%20Health%20IT%20Prez-Kenned... For nifty open source stuff, check out popHealth (by Mitre), OMHE (for mobile) and hData (XML). http://code.google.com/p/omhe/ http://www.projecthdata.org/ http://projectpophealth.org/ |