Subscribe to our newsletterSubscribe
Our HL7 FHIR Server helps you meet HIPAA Regulations
Originally written by Vadim Peretokin
If you need a FHIR server that’s well-tested, secure and complies with all the technical safeguards of the HIPAA Security Rule, look no further. Firely Server is now HIPAA compliant!
The Health Insurance Portability and Accountability Act (HIPAA) is the standard for protecting sensitive patient data in the United States. HIPAA protects patient privacy by prohibiting certain uses and disclosures of health information. It also allows patients to access their own health information and ensures that they be notified of any security breaches involving their health data.
In effect, companies that deal with Protected Health Information (PHI) are required to have proper physical, network, and process security measures in place. This applies to healthcare providers and other companies that provide treatment, payment or operations in healthcare. Naturally, other business entities that support these companies and that also have access to patient information, must also meet HIPAA compliance. Not doing so can result in hefty fines and of course, loss of trust.
Firely helps many companies that fall under these categories. That’s why the Firely Server team has been working hard to help our customers avoid HIPAA violation fines and protect sensitive PHI.
Here are some ways you can do this with Firely Server:
HIPAA requires companies to “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” It also asks you to “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
With Firely Server, you can encrypt all communication with TLS/SSL. While it’s common practice to use a reverse proxy like NGINX or IIS to do this, you can enable secure connections directly in Firely Server without having to use a proxy. In addition, Firely Server is regularly updated with the latest version of ASP.NET to ensure that the latest cryptographic algorithms are available to you. For more information, see our HIPAA Compliance Guide.
HIPAA also asks companies to ensure that electronic information systems that maintain Protected Health Information (PHI) only allow access to persons or software programs that have access rights.
There are several ways to control access rights with Firely Server:
- Deploy Firely Server in a secure environment and use third-party software to control access rights.
- Use SMART on FHIR to control access rights. Firely Server supports SMART on FHIR, a sibling specification to FHIR for securely connecting third-party applications to Electronic Health Record data. To find out how to configure Firely Server and SMART on FHIR, click here.
- Set up custom authentication using a plugin. Firely Server is based on a pipeline architecture, which means you can insert a plugin at the start of the pipeline to call out to your authentication service(s) prior to handling the request.
For more details on any of these options, you can check out our complete HIPAA Compliance Guide.
HIPAA requires companies to implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. You can easily do this using the Audit Event Log plugin for Firely Server. This will thoroughly log every interaction as a note in a log file and/or in an AuditEvent resource.
These are only some examples of how you can achieve HIPAA compliance with Firely Server. If you’re currently using Firely Server as your FHIR server, you can find our detailed guide here. There you can find more examples of how you can meet other standard requirements, such as encryption and emergency access procedures.
As always, feel free to contact us if you need any help meeting HIPAA regulations during deployment. We will be happy to hear from you.