[nates]

Makes sense. I am sure I misworded, and got turned around a bit. Much of the documentation with fhir talks about oidc. Which seems to be in place if you are doing much more sharing of your data. These things as you mention are probably beyond what is necessary initially and could be added at a further date. However using a service or an open source project that can allow to scale to that size is an interesting proposition.

[extrapickles]

HIPAA applies to all health data regardless of what you do with it. It’s one of the few things similar to ITAR that you cannot put off for later. The fines for not complying can be staggering ($50k-$1.5m).

I highly recommend talking to someone who knows HIPAA well.

[aeleos]

If you are handling any kind of medical data about people, then you cannot think about security at a future date and your life will be difficult from the start.

[nates]

Did I say security? I said sharing at a future date.