2

I'm building a new website, that may be subject to HIPAA. But I won't normally need access to the data. If I encrypt, or somehow encode, the personally identifiable parts, so only the user can decrypt or decode them, would HIPAA still apply?

This is related to my other question about avoiding HIPAA.

edit: I should add that my original idea was to have each user store their own data, since I don't have any need for it. The only reason I'm considering storing it for them, is so they can easily access it from anywhere.

Community
  • 1
Dan
  • 55
  • 5

1 Answers1

3

I'm pretty confident that the simple answer is 'no'. Encrypting data is a way to protect it from exposure, but that does not change the definition of scope.

Consider that if the user can decrypt it, than actually your application can decrypt it and, at least in principle, an attacker could subvert the system to display/decrypt information to which they should not have access. Another way of looking at this is that saying "Only the user can..." is not defensible. The user can do nothing that is not facilitated by your software on your computers. You always have the risk that the system will be hacked in some way that allows a third-party access to the decryption keys. If you are holding data in scope for HIPAA, encrypting it does not remove it from scope.

JaimeCastells
  • 1,156
  • 1
  • 9
  • 16
  • I'm not sure if I want to do this, since it could limit some functionality. But the application probably won't need anything HIPAA considers user identifiable, except maybe dates. But I could work around that, by replacing absolute dates, with dates relative to a reference date the user chooses, but isn't stored in the system. I know that actual dates could possibly be inferred, if you know when the user enters the data. But the user could also be entering historical and hypothetical data, so you could only guess at the actual dates. – Dan Oct 13 '15 at 22:08
  • The part I haven't figured out yet, is how to keep user account info, disconnected from user data. So I may just have to learn more about HIPAA, and make sure my site is compliant. I'll want to be compliant with the apparent spirit of the law anyway. Hopefully the actual letter of the law isn't much different in my case. – Dan Oct 13 '15 at 22:16
  • Dan, the criteria we used at my last job was based on a diagnosis or a medical payer tied to a patient constituting HIPAA scope. This included information that might imply a diagnosis such as an appointment with an oncologist or the name of a specific medical procedure as well as anything connecting patient and insurer. This was conservative approach that pleased our lawyers. I am not sure I understand the context of your concern about dates, but that would not have been a central criteria for us. – JaimeCastells Oct 15 '15 at 15:19
  • I did some more research, and I don't think the first version of my site will need to comply with HIPAA. But eventually I'll probably add something that requires it. Or find a customer who does. So I'm better off just building compliance in, and learning more about it along the way. So when I actually need to comply, it'll be a lot easier. At least it won't hold up progress on my first version. Anyway, thanks! This discussion helped me realize that avoidance is probably futile. And complying could have some benefits I hadn't thought of. – Dan Oct 16 '15 at 02:27