LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Using gpg to comply with HIPAA (https://www.linuxquestions.org/questions/linux-software-2/using-gpg-to-comply-with-hipaa-712375/)

xri 03-17-2009 08:30 PM
Using gpg to comply with HIPAA
 
For those of you familiar with the convolutions of HIPAA:
  1. An EMR company offers a web server based solution for a medical practice with electronic signing as an additional service (not as an integral part of their charting service). A medical practice initially takes the charting service but not the signing feature and prefers to print all created documents instead and keeps them on paper files.
  2. HIPAA requires signing capabilities for all electronic documents created. That ensures authenticity and (what is also crucial) that the document cannot be altered in the future.
  3. After some time, the practice decides to pay the extra fee to acquire signing capabilities, which allows them to keep electronic records only.
  4. When I take a look at the signed records I notice that they have implemented gpg to sign individual records, all within File Maker Pro on a Windows server.

Comment:
EMR/EHR companies usually take advantage of the fact that medical providers are usually computer illiterate and will willfully pay outrageously high fees for mediocre services which are almost as lame as using either paper and pencil or "dictation services". In general, what is so special about an EMR program/service in the software market? I know there is a handful of OS EMR out there. However, they seem to assume that they know what fields/format/complexity the provider needs and they look exaggeratedly bloated for many cases. For the purpose of recording medical information, some providers would be better off using a simple word processor like OO Writer. What prevents a medical provider from using a widely available program like OO Writer, OO Base or Kexi to keep her/his medical records? If encryption capabilities are implemented, the only thing missing to make this hypothetical method fully HIPAA compliant would be signing capabilities. This brings me to the

Question:

This missing feature would be using gpg to sign individual documents. Signing *.odt documents with gpg would be quite straightforward. How about signing records on a simple database? How would you implement such a simple method from a technical point of view (word-processor or database + gpg for signing)? What warnings would you make? What obstacles do you see? In short, how would you do it?

jschiwal 03-17-2009 10:41 PM
The use of propriety software in hospitals has produced a serious problem with siloization. Doc Searls wrote an article about this in Linux Journal, and how the impact on himself was nearly fatal. I once saw an open source Content Management system that was written in large part by a Dental Medical School. Open source software is about collaboration, and IMHO, medical schools in the country should take the lead in designing standards and OS software for use by the industry. On the one hand, the records from the department performing cat scans (for example) need to be readable by a doctor in another department. On the other, the privacy of the patient needs to be preserved.

From a blog by Doc. Searls:
http://blogs.law.harvard.edu/doc/200...-health-snare/


All times are GMT -5. The time now is 07:52 AM.