HIPAA Compliance

Nikhil_Patil1 · October 1, 2014, 1:49am

Hi,

I was recently asked whether ODK & FormHub are HIPAA compliant and I was
unsure how to answer that. Can anyone point me in the direction of any
resources that outline the specific steps an international research
organization would need to take in order to satisfy the requirements to be
HIPAA compliant, that would be greatly appreciated. Especially in regards
to any protocols we would need to implement to secure ODK/FormHub...or
other electronic data collection tools?

Cheers,

Nikhil

Ayub · October 1, 2014, 5:09am

Check this URL:

yanokwa · October 1, 2014, 2:37pm

Nikhil,

https://news.ycombinator.com/item?id=8347418 also has some good resources.

Setting up a true HIPAA compliant server is a ton of work so you'll
probably want to go with something turnkey. Take a look at CommCare
HQ. It's ODK-based and HIPAA compliant. http://commcarehq.org.

Yaw

···

-- Need ODK services? http://nafundi.com provides form design, server setup, professional support, and software development for ODK.

On Tue, Sep 30, 2014 at 10:09 PM, Ayub nrspaggregate@gmail.com wrote:

Check this URL:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

--

Post: opendatakit@googlegroups.com
Unsubscribe: opendatakit+unsubscribe@googlegroups.com
Options: http://groups.google.com/group/opendatakit?hl=en

You received this message because you are subscribed to the Google Groups
"ODK Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Nikhil_Patil1 · October 1, 2014, 3:17pm

Thanks Ayub for the resource. It's a good place to start but difficult to
pull out the exact steps an organization would need to take in order to
demonstrate HIPAA compliance.

Yaw - That's a great resource. Great to see so many organizations fill the
niche space of helping organizations demonstrate HIPAA compliance, although
most are outside our price point at this time...Will have to do more
research.

Would love to hear from anyone else in the group that has tried to undergo
HIPAA compliance. My organization already has built a custom ODK / FormHub
platform for our data collection needs so we'll probably need to go though
the whole compliance assessment & implementation as we move towards data
collection that includes PHI.

Cheers,

Nikhil

···

On Wednesday, October 1, 2014 3:39:02 PM UTC+1, Yaw Anokwa wrote: > > Nikhil, > > https://news.ycombinator.com/item?id=8347418 also has some good > resources. > > Setting up a true HIPAA compliant server is a ton of work so you'll > probably want to go with something turnkey. Take a look at CommCare > HQ. It's ODK-based and HIPAA compliant. http://commcarehq.org. > > Yaw > -- > Need ODK services? http://nafundi.com provides form design, server > setup, professional support, and software development for ODK. > > On Tue, Sep 30, 2014 at 10:09 PM, Ayub <nrspag...@gmail.com > wrote: > > Check this URL: > > > > http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html > > > > -- > > -- > > Post: opend...@googlegroups.com > > Unsubscribe: opendatakit...@googlegroups.com > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ODK Community" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to opendatakit...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. >

Andrew_W_Leung · August 21, 2015, 12:59pm

Hi Nikhil,

I am very interested in any updates with your research regarding HIPAA compliance data collection. Do you have any interesting new findings to share?

andrew

···

On Wednesday, October 1, 2014 at 11:17:28 AM UTC-4, Nikhil Patil wrote: > Thanks Ayub for the resource. It's a good place to start but difficult to pull out the exact steps an organization would need to take in order to demonstrate HIPAA compliance. > > > Yaw - That's a great resource. Great to see so many organizations fill the niche space of helping organizations demonstrate HIPAA compliance, although most are outside our price point at this time...Will have to do more research. > > > Would love to hear from anyone else in the group that has tried to undergo HIPAA compliance. My organization already has built a custom ODK / FormHub platform for our data collection needs so we'll probably need to go though the whole compliance assessment & implementation as we move towards data collection that includes PHI. > > > Cheers, > - Nikhil > On Wednesday, October 1, 2014 3:39:02 PM UTC+1, Yaw Anokwa wrote:Nikhil, > > > > https://news.ycombinator.com/item?id=8347418 also has some good resources. > > > > Setting up a true HIPAA compliant server is a ton of work so you'll > > probably want to go with something turnkey. Take a look at CommCare > > HQ. It's ODK-based and HIPAA compliant. http://commcarehq.org. > > > > Yaw > > -- > > Need ODK services? http://nafundi.com provides form design, server > > setup, professional support, and software development for ODK. > > > > On Tue, Sep 30, 2014 at 10:09 PM, Ayub wrote: > > > Check this URL: > > > > > > http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html > > > > > > -- > > > -- > > > Post: opend...@googlegroups.com > > > Unsubscribe: opendatakit...@googlegroups.com > > > Options: http://groups.google.com/group/opendatakit?hl=en > > > > > > --- > > > You received this message because you are subscribed to the Google Groups > > > "ODK Community" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to opendatakit...@googlegroups.com. > > > For more options, visit https://groups.google.com/d/optout.

anideepa · July 24, 2019, 5:29pm

I would also be interested to learn from your experiences with HIPAA Compliance. I have a custom ODK server setup and wondering if the ODK server is HIPAA compliant or not. @yanokwa Any thoughts on whether this is the case?

yanokwa · July 24, 2019, 5:37pm

Whether or not a server is HIPAA complaint has a lot to do with the administrative, physical and technical safeguards you have in place. To be compliant, there is a long list of things you must do, including:

adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures.
have controls that govern the introduction and removal of hardware and software from the network.
protected systems from intrusion (typically with encryption, but not necessary on a closed network).

https://www.hhs.gov/hipaa/for-professionals is a good place to start to know if you particular install is compliant.