What a great discussion thread!
Gary,
I currently use MySQL as part of a HIPAA compliant system for the
integration of web-based apps with Patient Care information.
HIPAA (Health Information Portability and Accountability Act) is a set of
standards set by the US Government to protect people's private health
information. Although created in 1996, only recently (April 2005) has it
started to really affect the way that health care organizations really
needed to worry about it's IT implications.
So, let's get to quick and dirty bottom of this:
Is MySQL compliant -- NO. Neither is any other RDBMS on the market
today.
The way that data is stored is not at the issue. It's the way that data is
collected that is at the heart of the RDBMS part of HIPAA.
You are correct that the Electronic Data Interchange (EDI) and application
layers are responsible for the encryption of the data. As long as the data
is in a locked, windowless, office (hopefully a server room) with adequate
security features (like physical security) and the system is locked with
passwords and has virus protection, then the data is HIPAA compliant.
What HIPAA was truly designed for was not the storage of data but the
PORTABILITY of data. How is the data accessed and who sees it?
Data needs to be accessed over a secure connection, either via SSL or other
encryption standards (AES, WEP, TLS, etc.) and must have a strong password
(minimum 8 characters, alphanumeric, and special characters) in order to
decrypt it. That being said, only certain individuals are even allowed to
access that data, set up via Active Directory, directory shares, or by
access lists. With the web based applications that I use, you must either be
inside the network or access it via a 128-bit encrypted VPN. Not only does
the data transmission need to be encrypted, but it also needs to be
adequately logged as to who sees it, what they were looking at, how long
they were there, and what their purpose was.
Now the systems that I designed/use were designed with HIPAA in mind, so,
save 1 or 2 tables, everything is in integers. Printing out an entire table
of data and leaving it in the cafeteria is not an issue as you would see
nothing but numbers. Without having the database schema in hand to reference
what all the numbers mean, you won't be able to determine anything.
Now, I am just a computer jockey with ump-teen years experience under my
belt, so don't take what I have written here to be law. However, being the
in healthcare field and designing databases with HIPAA compliance in mind
has been a huge help.
There are lots of sites out there with much more information than I have in
my head, so I would seek those out as well.
One site, http://www.wpc-edi.com/hipaa/ has all the data that you need
straight from the ass's (oops, horse's) mouth of the US Gov't.
I have helped in the authoring of a few papers on HIPAA compliance and
computers in the healthcare industry that, if this would be of interest to
anyone, are available. Please email me directly, as putting them on the list
would be unwanted propaganda.
I hope this sparks some more discussion from 'the group'.
Sincerely,
J.R.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, August 05, 2005 12:56 PM
To: mysql@lists.mysql.com
Subject: MySQL and HIPAA Compliance?
Hi,
I'm taking a database class and we are given open ended discussion questions
each week. The question this week is:
"Will MySQL take away market share from popular DBMSs? Will your comments
change if you are told that MySQL is not HIPPAA compliant?"
I have been using MySQL for well over 3 years, and other databases for well
over 10 years (professionally, as a coder....bout time I took a class eh?)
and I do think I have an informed opinion for the first part.
I'm weak in the area of HIPAA compliance though. I know it basically
centers around privacy. I know it covers things like adequate logging,
encrypted connections, etc, but it also seems to include a lot of EDI
interoperability. Now that seems to be something that should be handled at
an application level and MySQL shouldn't be penalized because of this.
>From the searching I have done, it appears that MSSQL for example offers
this mandatory feature via their Biztalk server (to handle all the EDI)
There are all manner of sites that will discuss HIPAA compliance for a fee.
Is anyone here familiar with this that could provide a reference or a simple
summary. It seems an interesting and important topic that I thought the
list might be interested.
Regards,
Gary Huntress
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
