0

I am working on enhancing security in our MySQL database. Specifically, the database stores health information for our clients' patients (so-called PHI), and we would like to separate the patients' names and other identifying information from their health data. What would be some approaches to this issue?

I've thought of one idea: maintain one key for tying the various identifying data together, and another key for linking the health information. These would be mapped to one another with a special "coded key" that would be available only when a clinical user is logged in. Does anyone have thoughts on that approach?

KenBoyer
  • 41
  • 2
  • 7
  • I am not a security expert, and there may be specific, local legal guidelines that one must adhere to in respect of patient data, but... I think the way to maintain security is to keep all the data together, in one table - and only grant access to those who have the relevant permissions. Those without the relevant permissions (but who still want to access 'anonymised' data, or summary stats could access views (subsets) of that data. – Strawberry Jun 12 '14 at 23:31
  • What we're trying to prevent is the case where someone could break into the database and, simply by using the primary and foreign keys of all the tables there currently, gather all patient identifying data, as well as their health data. By placing a special mapping table between the two sets of tables, my idea would rely upon a "special key" that is accessible by only a validly logged-in user (the special key would, perhaps, be stored in something like OpenSSO/OpenAM). – KenBoyer Jun 12 '14 at 23:41
  • 2
    Having tried to do precisely this, I was informed in no uncertain terms that it does not comply with HIPAA, ARRA, HITEC, or ISO-29001. The PHI auditors concluded it was both insufficient and unecessary. Why? Just a patient's diagnosis, or date of birth, or weight, or Rx, or room number, disconnected from her medical record number or name, is PHI. Disappointing! – O. Jones Jun 12 '14 at 23:45

1 Answers1

6

Combining personally identifiable information with health information (dx, symptom, provider, payment, etc) is PHI. Here's a more detailed discussion of PHI. PII can include all sorts of things

In terms of protection of PHI, HIPAA is not prescriptive about it. It's one of the major problems with HIPAA and the reason HITRUST is catching on in the industry. Your reasoning from a security standpoint makes a lot of sense but ultimately security is different from compliance.

At Catalyze we've been through 2 HIPAA audits and 1 HITRUST audit/assessment, all using 3rd party auditors. We architected our APIs to segment PII and health data similarly to how you described. Our auditors agreed with Ollie that the segmentation was unnecessary but felt it was an additional way to mitigate the risk of a breach of PHI. At the end of the day we treat all data on our platform as PHI and protect it accordingly, so for us it wasn't a matter of segmenting data in order to be compliant. In our final audit reports, segmenting PII from health data did not address specific requirements of HIPAA but did get mentioned as part of our overall security posture.

Hope that helps!

Travis Good
  • 112
  • 1
  • 6