Ask HN: HIPAA help. Anyone know a good HIPAA consultant?
Working for a startup on a web app that stores patient information online for later retrieval by healthcare professionals via the web. Anyone know a good HIPAA consultant we can talk to that has a good understanding and familiarity with network security/encryption/web frameworks?
I've done several google searches but many of the results look like they pander to enterprise software suites and large companies.
4 comments
[ 4.9 ms ] story [ 17.2 ms ] threadHIPPAA is mainly about having and following a reasonable process for protecting patient data, both at rest and in-flight on the network. I work with clinical research data, specifically providing clinical data integrated with research data. Mainly, I make sure PHI doesn't get shared with inappropriate readers. This can be a grey area when researchers are in clinic with a patient one day and the next are in the lab with their research hat on. Technically, all my work is covered by IRB approvals, which kick up HIPPAA requirements several notches.
Amazon put out a whitepaper on HIPPAA - skim it over, it's short and gives the high-level picture:
http://d36cz9buwru1tt.cloudfront.net/AWS_HIPAA_Whitepaper_Fi...
I think you can tell a compelling story if you make all your web app access available over SSL, follow the normal warnings from tptacek and crew on how to encrypt passwords and then harden access to the raw back-end servers. I'd recommend hiring a devops/sysadmin who has done this before.
If the security of the back-end is what your startup's selling point is, look into encryption options for your data store (e.g., encrypted by the RDBMS, or something similar).
Those are the types of concerns we try to make sure are checked off here as we work with patient clinical data and research data.
I guess the other thing to mention is that we use disk encryption tools as well - if a laptop walks off one day, we need to be able to say that (a) there is no PHI on it and (b) even if there was, you couldn't get it off (well, assuming that the NSA or equivalent isn't involved).
If you're funded/generating revenue already, maybe hiring someone like Matasano for a penetration test or process review would be prudent.
I'll ask around the research center higher-ups and update if I can track down a recommendation . . .
The former works with some of the largest healthcare companies, and the latter is involved in the tech sector including network and encryption security companies like CipherCloud.