2

I'm currently writing a web application that will need to be HIPAA compliant.

It is very JavaScript heavy, and ePHI will be sent over an encrypted connection in the form of JSON. The transmission and storage of the data is known to be secure. However, the browser environment can't be studied and verified for all cases in the use of the client-side access of the application.

The following question somewhat applies here:

Are there guidelines for application design of HIPAA compliant browser applications?

One of the answers links to this page regarding Security Rule guidance material.

Browser technologies such as localStorage aren't going to be used, and in all cases that I can control it, I'd like to avoid caching any ePHI.

If the user receives some data in the form of JSON, are there ways I can be sure that the information on the client's browser is either erased or encrypted? Is it necessary?

Community
  • 1
Nathan Lutterman
  • 153
  • 1
  • 5
  • 1
    You cannot erase JSON, you could put a expiry. Encryption is the next best alternative "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate." – lloyd Aug 14 '15 at 05:24
  • 1
    Once sent to a client controlled piece of software (e.g. Browser) your options are pretty limited. Encryption won't help much since the client will also have the keys to decrypt. Setting automatic expiration in JavaScript is good. Next option would be to stream pixels to the browser but unless this is DoD, it's overkill. – DeepSpace101 Aug 14 '15 at 05:34

0 Answers0