[noir_lord]

I've had an idea for a product I've put on hold for two years because it involves medical data and I just don't know if I can secure it to a level I'd be happy with from a moral point of view.

That's before the law gets involved as well.

[FabioFleitas]

Yeah... HIPAA is definitely tough. I'd check out https://www.aptible.com if you haven't already. It will at least help out with the infrastructure side of things. Although it does seem like Heroku is offering some services that help too (https://blog.heroku.com/announcing-heroku-shield).

It's definitely not enough alone, but at least gets you going on the security & compliance aspects.

[noir_lord]

I'm in the UK and our rules are different, we don't have anything directly equivalent to HIPAA (I suspect because we don't currently have the huge number of private hospitals/doctors the US has) in fact even finding out the exact standards you'd have to comply with for the UK is a challenge.

GDPR is good in that regard as the standards are high and apply to more than just electronic storage/interchange.

[DanBC]

People have to follow the Data Protection Act.

Are these useful?

Here's the Code of Practice for NHS organisations and staff: https://www.gov.uk/government/publications/confidentiality-n...

Here's the other code of practice for everyone working with NHS data: https://digital.nhs.uk/data-and-information/looking-after-in...

And here's the guidance about when to share if it's needed: https://digital.nhs.uk/data-and-information/looking-after-in...