Skip to main content


Sitecore Symposium 2019: HIPAA Compliance in Sitecore

HIPAA law is often a topic of conversation and can be a little confusing. This session offered a quick overview and review of the HIPAA law and how it relates to Sitecore hosting and development.

  • What is HIPAA?
    • Health Insurance Portability and Accountability Act
    • Started in 1996
    • Establishes national standards to protect an individual’s medical records and personal health information
  • What is PHI
    • Protected/Personal health information
    • Personally identifiable information
      • Name
      • SSN
      • Etc
  • What is a Covered Entity
    • Groups of people that need to protect health data
  • What is a Business Associate
    • Groups of people that contract work with Covered Entities
    • Must also ensure they protect health data
  • Does HIPAA apply to me or my site?
    • Even if you don’t deal with PHI, the rules cover security measure that should be considered by everyone
    • HIPAA does not define clear rules
    • Each organization may have different rules of what they consider to be PHI
  • Some requirements for HIPAA
    • Data transmitted and stored securely
    • Prevent misuse of data
    • Training about using data
    • Limit employee access to data
    • Documented process of security
    • Audit trail of data access
    • Data should not be altered or destroyed
    • Report any breaches
  • HIPAA breaches
    • 7 million people involved in data breaches in 2018
      • 327 million people in the USA
  • Impacts on hosting
    • Hosting partners need to sign a Business Associate Agreement (BAA)
    • Facility security
    • Access control
    • Audit trail
  • Impacts on Sitecore partner
    • Sitecore partner needs to sign a Business Associate Agreement (BAA)
    • Documented security policies
    • Code review to ensure that one person cannot push code to production without someone else seeing the code

Sitecore HIPPA compliance

  • Sitecore Forms and PHI
    • What information is user providing
      • Only ask for appropriate information
      • Do not ask for anything you don’t actually need
      • Use Sitecore workflow for form changes
        • Basically a code review for content
    • Is it encrypted during transmission
      • Use at least SSL with 2048 bit key
      • Full site is HTTPS
      • Only send the form contents through a secure email server
    • Where is the information being stored at rest
      • Encrypt the data in the database
      • Prevent inclusion of PHI in xDB database (not encrypted)
      • Ensure PHI is not ending up in Sitecore logs
    • Where is the information being indexed
      • Do not store submission in the content tree
      • Ensure submissions are not index for search engines
    • Who is accessing the submissions
      • Unique credentials to log in to Sitecore
      • Frequent password resets
      • Audit of access to submission logs
    • Create a custom form save action
      • Encrypts the data before saving in the database

Thoughts on “Sitecore Symposium 2019: HIPAA Compliance in Sitecore”

  1. Eric Sanner Post author

    Hi Alex. Unfortunately, I don’t have access to the audio/video recording of the session. I do all of my notes on paper while I’m attending the session. What’s here is all I have. You might be able to reach out to the speaker and see if they recorded it for themselves.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Eric Sanner, Solutions Architect

More from this Author

Follow Us