Community & Support
Support » Post installation

Encrypting for HIPAA compliance

Posted by dbushong on July 18, 2009 at 5:17pm

I've scrounged through the available modules and found pieces that help, but not any thing that works for me. Does anyone else have similar needs?

I want my users to be able to enter their monthly hours for the volunteer work they do at our health care agency. The data must be kept private, per HIPAA regulations, which means no patient details available in clear text. I have HTTPS available, and have made a webform that collects the data, but it is stored on the server/SQL in clear form. Also, I can make the tabulated data emailed to the volunteer coordinator using GPG with her public key, but this becomes an inelegant, cookbook solution that even so, is not quite complete. Is there a better way to do this? CSE (Client side encryption) had potential of being able to help, but didn't give me what I needed.

I would like:

1. Volunteer fills out form that has patient name, activities, dates and hours, miles driven, etc.
2. User does not need to know or enter password (always use recipient's public key, can be hardcoded)
3. Usable enough for your grandmother (e.g., type info, click submit)
4. At any point in this process, no patient data is exposed, except by shoulder-surfing or by recipient with key pair.

Suggestions are welcome.

One alternative is for the user to download a PDF form that is password-protected, but this is not secure, and intimidating for some people. It also fails #2 above, and possibly #3 and #4.

Dave
www.HHHCVolunteers.org

Login or register to post comments Categories: ,

Comments

Take a look at

Posted by pobster on July 18, 2009 at 7:13pm

Take a look at http://drupal.org/project/cse (actually read the project page here; http://equivocation.org/cse it makes more sense for your use case).

Pobster

CSE

Posted by dbushong on July 21, 2009 at 8:45pm

Yes, that looked like it had potential, but what I need to do is create a write-only form where the volunteer doesn't need to know the encryption password.

I installed CSE and will have some other uses for it, but I'm still looking for a way to solve this problem. Right now it looks like I will have to hand-roll something. I don't have a problem with that, but my experience has shown that there is nearly always someone in the Drupal community who has already solved the problem.

Thanks again!
Dave

Did You Get Anywhere?

Posted by snorkers on June 9, 2010 at 10:09pm

I think I've just hit exactly the same problem where I want anonymous users to be able to submit sensitive information [through webforms] and store them within the Drupal database encrypted... all to satisfy HIPAA.

Did you get anywhere with this - I can't see how to utilize CSE in a simple manner?

I know there is talk of including AES within Webform 3.0, but that seems pretty stalled too #254979: AES encrypt webform submissions.

Account blocked at user's request

Does the Secure Pages module

Posted by bsenftner on June 9, 2010 at 10:21pm

Does the Secure Pages module help at all? That module enables you to specify pages that will be transferred via HTTPS, such as any form pages where sensitive information is provided by the user, maintaining the security of that data en-route to and from the user. From that point, I would think that you'd just need to insure that the data is stored in the database in a secure manner.

A prior contract of mine needed to be HIPAA compliant, and the Secure Pages module was used for this purpose. However, they said their lawyers advised them the database did not need to be secure, since only 'security approved staff' would have access to the database itself. Since it was not my ass on the line, I did not push that point...

-Blake
www.BlakeSenftner.com www.MissingUbercartManual.com www.cg-general-store.com www.droplabs.net

Try encrypted_text

Posted by yakmandango on July 4, 2010 at 6:43pm

HIPAA's not my deal. How strongly it is enforced is a mystery to me. But if it is enforced, the HHS wants encryption if it's "reasonable and appropriate". Flat out saying "we've got access control, we don't need encryption" without looking into it might be a bit reckless. They seem to want you to do what you can. Might be good to check if encrypting is possible, and if it isn't document why, like how much it'd cost. Oh yah, and access control can come with a cost, too. Logging, reviewing logs, auditing access privileges... You don't get "access control" by just saying "don't worry, our dudes are cool".

Drupal's got Secure Pages to encrypt during transmission. CSE certainly encrypts in storage, if how it's used works for you. There's also encrypted_text for CCK: drupal.org/project/encrypted_text. Together or separately, they're better than nothing. And what you do with those keys might be important...

HIPAA stuff:

Hipaa Compliance Data Encryption

Posted by cxmcoog on March 23, 2011 at 9:47pm

If your looking for encryption help regarding mysql, I found these guys at RSA this year. They do Transparent Data Encryption for MySQL, Gazzang Inc. Check them out, I don't work for them BTW

nobody click here