|
|
|
|
|
|
by sithu
4097 days ago
|
|
|
HIPAA is surprisingly vague about the minimum standards for compliance, calling encryption "addressable" instead of "required"[1]. I believe this goes for both data in transit(HTTPS), and data at rest. I've seen some say that HTTPS is required but I can't find this on the gov site. My understanding is that if you choose not to encrypt, the burden of proof is on you should anything bad happen, to prove that implementing it was not "reasonable and appropriate". Since I can't think of any circumstances where sending plain text patient info over the internet is reasonable, i'll choose to encrypt. The other things for HIPAA compliance are complete audit logging so you can see who has accessed anything, and training of staff who have access to protected health info. Most HIPAA recommendations seem to be a good idea to do anyway. [1] http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.h... |
|
|