Hi Glen, I am not a lawyer, so please bear that in mind. However, I do work for a major hospital, and have some experience with making IT systems compliant with HIPAA regulations. That said, it's been a few years since I was involved in that directly. So my experience may well be out of date.
On Thu, Mar 12, 2009 at 3:45 PM, Glen Jarvis <[email protected]> wrote: > The customer wants to take this software in a more public arena. He has to > get HIPAA approval. The above is incorrect. HIPAA itself does not provide anything like a pre-approval process. Instead, the health care organization is subject to audit by FDA/HHS auditors. These auditors will require the organization to provide policy manuals that state how the application complies with HIPAA regulations regarding privacy of Protected Health Information, access control and security. The auditors will then require the organization to provide any and all logs from the application in order to check said compliance. If the organization fails to provide either the written policies or the logs, or if the logs contradict the policies, then monetary penalties can be assessed. If I remember correctly, there are regulations about what must be logged, also. If the application provides insufficient logging, that too can be problematic. If an audit occurs while a system is in the process of being developed, the auditor will make a note of it (and not expect any policies/logs/etc.) and on the next visit, you can expect them to ask about that system specifically. > The data is stored in a MySQL database and the standard > Django User Authentication model is used (out of the box with no changes). > Since security is a concern for the customer, I wanted to find all > information from HIPAA regarding the Django User Authentication/Sessions > security model before I did more work. I doubt you will find much information regarding Django's auth framework and its HIPAA compliance, or lack thereof. The auth framework in its own right makes no claims to HIPAA compliance, and Django out-of-the-box doesn't implement sufficient logging (in my I'm-not-an-auditor opinion). You would need to add the necessary logging. Not a hard task. But you will need to acquire a fairly substantial knowledge of HIPAA requirements in order to figure out what's necessary and what goes too far. The point is that any organization using Django in a HIPAA-compliant situation is going to have done their own assessment of the resulting app (or have hired HIPAA consultants to assess). They will have had to build into the app certain policies, certain ways of approaching the information they manage. And they'll have done it themselves. Django itself isn't billed as being HIPAA-compliant. Technologies or products that do sell themselves as HIPAA-compliant put themselves in legal jeopardy if a health organization purchases that product, uses it per the documentation, and is found not to be in compliance. So don't expect any open source technology to advertise compliance. Instead, expect at most a pointer to "our technology was implemented in a compliant fashion by X". > I expected to see documents that they > have approved this model in the past. As per above, HIPAA doesn't approve individual technologies. They audit and approve sets of policies and the implementation of those policies in a given organization. > Does anyone know where to find such "stamp of approval" or "denial" from > HIPAA's point of view? I doubt you'll find such. > I can find no specific links to Django from > hippa.org. For the benefit of non-healthcare folks, the site is http://www.hipaa.org/. > Which governmental agency site should I be searching for with > regard to Open Source and security? None that I know. I am perhaps out of date, though. > Thanks in advance for any direction you can lead me in (where to go or who > to talk to), Based on my previous experience, I don't believe there is an easy answer. If you have lots of time, and little money, one way to solve the issue is to read HIPAA and the various recommendations for implementation, and do-it-yourself. The other option, if you have money but less time, is to hire a consulting group that specializes in HIPAA, and have them distill things for you. You'll still have to do the implementation, but they'll give you a plan and check your results. If you can afford the time to learn it yourself, expertise in HIPAA implementations can be a very lucrative specialty. $75k on a short consulting engagement, versus $20,000,000 in fines. Hospitals will always pick the former, assuming they choose to do the project at all. For what it's worth, I believe a system built with Django could be implemented in a way that complies with HIPAA privacy and security regulations. I don't even think it would be that hard to do. HIPAA is more about the organization having in place policies that comply, and that the system expresses those policies. A lot of compliance is subject to interpretation, there's some leeway as to what is and what isn't compliance. Also for what it's worth, I have a suspicion that if your customer is already using that Django application to store production patient information, that system is already subject to HIPAA regulations, regardless of whether it is public or not. As a hint, test data should absolutely NOT be real patient info. Use obviously fake patients, e.g. "Daffy Duck, MRN 123456789". Disclosure of real patient data from a test system is still disclosure, and subject to penalties. And since security policy enforcement is usually less on a test system ("Oh, sure, I'll show you how it works on test, no problem!"), the chances of disclosure are higher. ---Peter Herndon http://spookypony.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
