[webproducers] Re: HIPPA Compliant Website

Hi Evan,

While I'm not an expert on HIPAA and can't provide legal answers for =
you,
HIPAA specifies a set of security and privacy goals, rather than =
mandating
particular technologies.  On the software side, these are not all that
different from general web security best practices, outlined in the Open =
Web
Application Security Project standards.  Not only must your software be
coded with security in mind from the outset, but you must give special
attention to protecting the data.  Who (besides your client) has access =
to
it?  How can it be secured from personnel at the web hosting company?  =
What
are the procedures to thwart hackers, and what is the recovery procedure
once a hacking attack happens?  These are just a few of the issues to
consider.

Because of the increased security focus in both your software =
development
and hosting setup, an increase in cost for the software development is =
both
reasonable and to be expected.   =20

You may be better off with custom developed software, rather than off =
the
shelf Open Source software for two reasons.  First, your client has =
complex
business logic and requirements specific to therapists.  Second, while =
it's
easy to customize open source tools' appearance using skins or =
templates,
it's often difficult to customize the business logic, which is hard =
coded.
Once you do, you're locked into that version and are unable to upgrade =
in
the future without manually reapplying all of your changes.  This is
critical when new security holes are found.  Many freely available open
source applications are coded without security in mind, and actually =
require
you to configure your setup in an insecure manner (such as using
register_globals in PHP).

Please let me know if this helps, and if there's any other information I =
can
provide that can help with your decision.

All the best,
Lee Semel



-----Original Message-----
From: webproducers-bounce@xxxxxxxxxxxxx
[mailto:webproducers-bounce@xxxxxxxxxxxxx] On Behalf Of Evan Silberman
Sent: Friday, August 27, 2004 10:46 PM
To: webproducers@xxxxxxxxxxxxx
Subject: [webproducers] HIPPA Compliant Website

Hi Folks --
I have a client (an office of therapists) who is looking for a =
customized
Intranet solution, with very complex calendar and contact management =
tools.
The client would be using this Intranet to share confidential, client
information.=20

Due to the nature of my client=B9s business, I believe this site would =
need to
comply with the Health Insurance Portability and Accountability Act =
(HIPAA),
which mandates a legal and regulatory environment governing the security =
and
confidentiality of individually identifiable protected health =
information.
Therefore, any healthcare organization using the Internet to send =
Protected
Health Information (PHI) must take steps to protect themselves from =
known
Internet threats.=20

I don=B9t have the expertise to create a website that meets these needs, =
so my
client met with an independent design firm to discuss the project. The =
firm
then provided a starting estimate of $20,000. When the firm factored in
HIPPA, the estimate jumped almost $40,000 dollars.

There are many aspects of a project like this that I am confused about:

1. How does an act like HIPPA affect the structure and development of a
website in comparison to a public, database driven website? Would this
result in a more costly website?
2. How do HIPPA and Internet Law intersect? What impact does this have =
on a
project like this?=20
3. What resources are available to learn more about HIPPA and the =
Internet?
(I did Google already)
4. Do open source calendar and contact management tools exists for
customization?=20
5. This solution needs to be remote. Would Outlook be a useful tool by =
any
stretch of the imagination?

I know the details of this scenario are vague, any general thoughts?

As always, THANKS.=20


_________________________________________________________________________=
_
Be sure to trim your posts and delete personal information such as =
telephone
numbers if you do not want them in the archive.

To unsubscribe send a blank message with unsubscribe in the subject to
webproducers-request@xxxxxxxxxxxxx

The WPO list is a public discussion forum with a public web archive =
linked
at www.WebProducers.org.=20





__________________________________________________________________________
Be sure to trim your posts and delete personal information such as
telephone numbers if you do not want them in the archive.

To unsubscribe send a blank message with unsubscribe in the subject to 
webproducers-request@xxxxxxxxxxxxx

The WPO list is a public discussion forum with a public web archive linked at 
www.WebProducers.org.

Other related posts: