Does anyone know if the provided SQL and Active Directory Membership Providers in ASP.NET 2.0+ are HIPAA compliant?
Clarification:
I understand that HIPAA mandates patient information be secured and that certain policies be put in place to secure access to that information. Can Microsoft's SQL and AD Membership Providers be used for handling the authentication of users accessing this information? I expect there to be some policies that need to be established like password length and complexity but is there anything inherit about the way they store information that would invalidate them for the purposes of authorization? Any gotchas or things to look out for?
As required by Congress in HIPAA, the Privacy Rule covers: Health plans. Health care clearinghouses. Health care providers who conduct certain financial and administrative transactions electronically.
Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be required to comply with HIPAA Rules.
Organizations that do not have to follow the government's privacy rule known as the Health Insurance Portability and Accountability Act (HIPAA) include the following, according to the US Department of Health and Human Services: Life insurers. Employers. Workers' compensation carriers.
You need a Domain. You may need to purchase a server, convert your existing server into a Domain Controller, or create a secure network in the Cloud. A Workgroup is a deal-breaker if you have any protected data anywhere other than your certified EHR system.
It depends on what you want to do with them, but in short, yes. HIPAA is all about standards for securing your data; the standards aren't particularly harsh, so long as you have a way in place to provide for security. In that way, it's a lot like ISO 9001; so long as you define a security policy and stick with it, you're okay. The mentioned providers are effectively tools.
That said, you may need to do some additional things with your data to assure that it's only clearly accessible from your application; some level of pre-encryption would probably be appropriate. Just understand that it probably doesn't need to be HEAVY encryption; very light would do, so long as you're consistent with the application of it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With