HIPAA law is often a topic of conversation and can be a little confusing. This session offered a quick overview and review of the HIPAA law and how it relates to Sitecore hosting and development.
- What is HIPAA?
- Health Insurance Portability and Accountability Act
- Started in 1996
- Establishes national standards to protect an individual’s medical records and personal health information
- What is PHI
- Protected/Personal health information
- Personally identifiable information
- Name
- SSN
- Etc
- What is a Covered Entity
- Groups of people that need to protect health data
- What is a Business Associate
- Groups of people that contract work with Covered Entities
- Must also ensure they protect health data
- Does HIPAA apply to me or my site?
- Even if you don’t deal with PHI, the rules cover security measure that should be considered by everyone
- HIPAA does not define clear rules
- Each organization may have different rules of what they consider to be PHI
- Some requirements for HIPAA
- Data transmitted and stored securely
- Prevent misuse of data
- Training about using data
- Limit employee access to data
- Documented process of security
- Audit trail of data access
- Data should not be altered or destroyed
- Report any breaches
- HIPAA breaches
- 7 million people involved in data breaches in 2018
- 327 million people in the USA
- 7 million people involved in data breaches in 2018
- Impacts on hosting
- Hosting partners need to sign a Business Associate Agreement (BAA)
- Facility security
- Access control
- Audit trail
- Impacts on Sitecore partner
- Sitecore partner needs to sign a Business Associate Agreement (BAA)
- Documented security policies
- Code review to ensure that one person cannot push code to production without someone else seeing the code
- Sitecore Forms and PHI
- What information is user providing
- Only ask for appropriate information
- Do not ask for anything you don’t actually need
- Use Sitecore workflow for form changes
- Basically a code review for content
- Is it encrypted during transmission
- Use at least SSL with 2048 bit key
- Full site is HTTPS
- Only send the form contents through a secure email server
- Where is the information being stored at rest
- Encrypt the data in the database
- Prevent inclusion of PHI in xDB database (not encrypted)
- Ensure PHI is not ending up in Sitecore logs
- Where is the information being indexed
- Do not store submission in the content tree
- Ensure submissions are not index for search engines
- Who is accessing the submissions
- Unique credentials to log in to Sitecore
- Frequent password resets
- Audit of access to submission logs
- Create a custom form save action
- Encrypts the data before saving in the database
- What information is user providing
Hi Eric, Is there any chance we can get access this recorded session?
Hi Alex. Unfortunately, I don’t have access to the audio/video recording of the session. I do all of my notes on paper while I’m attending the session. What’s here is all I have. You might be able to reach out to the speaker and see if they recorded it for themselves.