The medical industry is realizing the great potential to streamline and organize their business processes and data with SharePoint 2010. Many healthcare organizations require a HIPAA-compliant SharePoint solution to store and process electronic protected health information (ePHI).
The HIPAA Security Rule covers the standards and implementation specifications that are required to become compliant. The Security Rule only applies to ePHI where the Privacy Rule refers to PHI which may be electronic, oral, or paper form.
I’ve recently been researching what makes a HIPAA-compliant SharePoint 2010 environment.
NOTE: I’m not a compliance expert. I’m simply recording my thoughts in hopes of sparking conversation and receiving feedback on real world compliance projects involving SharePoint.
If you have the the time and patience to decode the formal HIPAA content published by the U.S. Department of Health and Human Services, I wish you luck. The requirements seem to be very vague and seem to be written that way intentionally to be technology-agnostic.
For the purposes of the article, I’ll try to summarize and highlight what we as systems administrators and architects must keep in mind when designing new HIPAA-compliant health information systems built on the SharePoint 2010 and Windows Server platforms.
According to “What Makes a Web Site HIPAA-Secure” by Erik Kangas, PhD, and president of LuxSci, a web application must adhere to the following guidelines to be HIPAA-compliant:
- Is always encrypted as it is transmitted over the Internet (Secure Transmission)
- Is not lost, i.e. should be backed up and can be recovered (Integrity)
- Is only accessible by authorized personnel (Access Control, Authentication)
- Is not tampered with or altered (Audit Controls, Integrity)
- Should be encrypted if it’s being stored or archived (To get around notification clause)
- Can be permanently disposed of when no longer needed (Health records must be kept for six years)
These points seem to cover common security policies and procedures that every IT department should comprehensively follow. Every policy and procedure around these points should be well documented in your Governance planning. Let’s analyze these a bit further in the context of SharePoint 2010 and Windows Server 2008.
1. Is always encrypted as it is transmitted over the Internet
This can easily be accomplished by utilizing SSL encrypted http traffic. An SSL certificate is included in all Fpweb.net dedicated SharePoint 2010 hosting plans.
2. Is not lost, i.e. should be backed up and can be recovered
Every production SharePoint implementation needs a Disaster Recovery plan. Part of the DR plan should include how often backups are performed to the acceptable potential data-loss in a disaster.
3. Is only accessible by authorized personnel
A large part of your governance planning should include user security, password polices, and procedures when bringing on new employees (and departing employees). This can be further analyzed by how content is downloaded and secured on users’ computers inside and outside your network. Windows Rights Management and IRM can help here. You can configure rights for Active directory users to open, modify, print, forward files. More information on SharePoint Foundation and IRM can be found here. With the widespread adoption of smart mobile devices and tablets, this brings up an interesting point that Architects need to consider.
4. Is not tampered with or altered
This follows the previous point about how AD RMS and IRM can prevent unauthorized modification, viewing, and distribution. You could also utilize the new Enterprise Content Management (ECM) features in SharePoint 2010 Server to mark documents as records so they cannot be modified. Along with in-place records, you can setup retention and archival policies for the documents. Along with these new records management features, auditing document modifications and security changes have been greatly improved.
5. Should be encrypted if it is being stored or archived
When documents are uploaded to SharePoint 2010, they’re stored in SQL server as BLOBs (or elsewhere if RBS is enabled). SQL Server 2008 R2 Enterprise has a feature called transparent database encryption which will automatically encrypt your databases. This may be required for your solution. There is a clause in the HIPAA documentation that requires organizations to notify each patient if there is a security breach on the system. By implementing encryption for files stored in the environment, the HIPAA-compliant organization is able to work around this clause because the information is still secure.
6. Can be permanently disposed of when no longer needed
Your organization may have policies about document retention which would prevent some content from being deleted. These policies might affect your compliancy. You must also remember the data stored in backups. If you backup to tape and ship them offsite, you must make sure that you can access and dispose of these backups if required.
At Fpweb.net we offer HIPAA compliant hosting for Microsoft SharePoint. This means that we’ll get you started with an appropriate hosting plan, but we do not offer any types of environment compliance audits. If you have any feedback, resources, or arguments please share them. I would love to learn as much as I can about HIPAA-compliant SharePoint solutions, AD RMS, IRM, and how these play together.