We have a client(pharmacy) that wants a form on their website that submits to an api that is a hipaa compliment service. We are not storing any data, only sending. Does our server/system need to be hipaa compliant?
Asked
Active
Viewed 41 times
1 Answers
1
That's not how compliance works. You can't just use a service, or secure a server, and check the HIPPA compliant box.
See for example HHS's notes on the security rule. Someone, either the covered healthcare association or a business associate, needs to maintain processes to secure protected health information. In transmission as well as stored at rest.
This is broader than technical controls. Obviously, only allow encrypted traffic such as HTTPS requests. Probably a good idea to encrypt disks. But also, train employees on the proper procedures to only look at what is necessary to do their job, and report breaches. In general, implement a formal risk mitigation process.
If you were to get compromised, and this form's submission data were exfiltrated, that would be bad for patient privacy, and possibly your liability.
Get an answer from a compliance person on what PHI is being transmitted, and what your responsibility for it is. If any PHI is in scope, they would have questions for you.
John Mahowald
- 30,009
- 1
- 17
- 32