the HIPAA thing, on smaller scales, ends up a total red herring because most anybody's EMR lives on their iron anyway. My wife's got two, evaluated seven, and each and every one of them waivers all the HIPAA stuff onto the provider.
Waving the bullshit flag here... HIPAA compliance completely fucks with your network infrastructure. Case in point, from personal experience: I used to work for F5 Networks, who make (among other things) the finest load balancer in the world. For those who don't know, a load balancer takes traffic coming in from the internet, and directs that traffic to the appropriate servers within your network. Since load balancers are facing the direct onslaught of all internet traffic coming to your domain, they are attacked almost constantly by hackers (not hyperbole... literally multiple times PER SECOND), who are trying to gain access to the internal network services. So your load balancer (or ADC) needs to be SUPER robust to deal with all these different attack vectors. The smartest and best way to defend against most attacks is to have a "full proxy" load balancer. This means that traffic coming in from the internet is completely decoded and disassembled, then, on the other side of the load balancer (your network side) the packets are reassembled and passed along. This decoding/rebuilding of network traffic removes about 95% of the potential attack vectors hackers can use. HOWEVER... Because a full-proxy load balancer decodes the incoming packet, HIPAA regulations say you cannot use this type of load balancer, due to patient privacy concerns. They say that decoding internet traffic at any point between the server and the client is a breach of patient privacy, and is therefore forbidden. This is what happens when government tries to regulate technology. The reality is that, inside the load balancer, the ENTIRE PROCESS happens within code on a chip, and is never, at any point, in any way, accessible to anyone outside the box. Not the administrator, not the hackers... nobody can ever possibly see the unencrypted data. But no... if you have a full-proxy load balancer, then you are breaking HIPAA regulations. (Sorry. I get a little worked up about this shit. The government is technologically illiterate, and should be prevented from making ANY technology decisions. See: Apple vs FBI for more examples of government morons at work.)
The best thing about HIPAA is that those of us who touch bare metal need at least a framework to build best practices. The further you are from the server, the less you care about what the computer does and the more you care about the number of billable hours it will cost to defend the decisions. I don't hate you so I won't quote it, but AWS has a series of white papers on cloud infrastructure and HIPAA guidelines. It can be done, there are groups doing it to comply with the 7 year mandates, but I do not have the budget to do so. We went with a vendor who runs the software, builds the apps, etc and I maintain the server farm, desktops, installs, windows updates, and the local security, accounts et al. The final rules are here if anyone lurking wants help sleeping As KB says below: Wave it all you want, you're wrong. What matters is billable attorney hours and what checks get written. as long as you are encrypting stuff, not backing up to your IPAD or Google Cloud Storage (shudder) or doing something otherwise outrageous, when the people come in to inspect they are, from the stories I've been reading and been told to me, looking for Medicare and Medicaid fraud more than encryption and email violations. The real dance is keeping all the players happy: the Docs, the Clinic Staff, the billing people, the management, the lawyers the government. (note the lack of patient in that list.) As long as you have vendors that tell you in writing HIPAA COMPLIANT, and I am getting the resources to stay on top of it we have the ammo to give the guys in suits.HIPAA compliance completely fucks with your network infrastructure.
Wave it all you want, you're wrong. All the technological stuff you're talking about gets totally swept under the rug. Having sat next to five sales presentations, whenever you mention HIPAA compliance they all say "we got this and can protect you" and the conversation moves on. I'm not saying these vendors are HIPAA compliant - I'm saying they're diffusing the question their customers are asking effectively be that through misunderstanding, half-truth or outright deception. Either way, individual practitioners get to check off the HIPAA box without having to know or care what a load balancer is. They mash an icon on their iPad and they're in, and their clients click a button on their website and they're in. So get worked up. Take a stand. Pontificate about encoding. Between the pointy-haired bosses and the sales weasels, you're not only irrelevant, you're a deaf-mute because you won't even be asked. I'll take it further - you could walk into any independent practitioner's office with a white paper and server logs demonstrating that a doctor's EMR isn't HIPAA-compliant and they'll shrug, say "I got my waiver" and tell you to leave.
The sales weasels don't care whether the product does the right thing, they care that the customer thinks the product does the right thing. The pointy-haired boss doesn't care that the product does the right thing, he cares that his ass is covered and he has something to brag about to his pointy-haired boss to prove he has Leadership. Your users care in the abstract, but aren't really interested; if they're told all is well, they'll take it on faith because they just want problems ancillary to what they're trying to do to go away. If you care about your craft or your users, you pick fights with your pointy-haired boss and the sales weasels so you can do whatever it is you're trying to do right. Dominant species or no, PHBs are easier to replace than you are, you can get away with saying "fuck that, here's what we're going to do" as long as you're right. Or you let it grind you down and just do whatever you need to do to keep the PHB smiling, but that'll make you miserable.
Or, if you don't care to write your own HIPAA-compliant EHR for your staff-of-five and client-base-of-hundreds, you accept that the whole thing is a big stupid pigfuck but that it's everyone's big stupid pigfuck and move on. It's like speeding on the freeway - if everyone's doing it, the likelihood of being pulled over is proportional to the redness of your car and personal ethnicity, not proportional to speed. HIPAA, in many ways, is the exact same boondoggle as the Americans with Disabilities Act. 10-20 percent of my audio budget used to be for Assistive Listening Devices because the ADA says you have to assume that 5% of the audience for any given public event is deaf, and you need to provide them headsets, minimum 5. Which means if you have a classroom that seats 20 people, you have to have headsets for 25 percent of the seats. Which means if you have a stadium with 20,000 seats, you've got 200 headsets in a closet somewhere. Which nobody adhered to. Even the building inspectors knew it was a joke. They wanted to see the regulation "six headsets and an emitter" on every spec sheet because they knew it would never get used. Commtek, Genter, Listen Technologies... these are companies that exist to make devices no one will ever use because of legislation. When HIPAA went through I got to start putting in masking systems for every lobby in every medical office. HISSSSSSSSSSSSSSSSSSSSSSSS
Eh. Issues like this are always complaint-enforced. So everything is fine until a patient files a lawsuit. Then your piece of paper won't be worth the paper it was written on. "And your infrastructure isn't HIPAA compliant, either. So add another quarter million onto the award for lack of proper network infrastructure." I rail because the technologically correct answer is inadvertently the wrong legal answer. And that shit pisses me off, because it's gonna be the little practitioners who mashed a button on their iPad who get screwed.
Doesn't matter. The lawyers always go after the deep pockets and the deep pockets are never the individual practitioner. Besides which, a malpractice suit isn't going to be about medical records, a records leak suit is going to be about medical records and then the practitioner points at the waiver and says "talk to my EMR." Rail all you want. Actual HIPAA compliance matters fuckall compared to perceived HIPAA compliance, and perceived compliance is "there's an app for that."