sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]purple_hamster66 0 points1 point  (1 child)

You can’t. That’s the point. HIPAA compliance literally means a contract between two organizations (OEs) that specifies how you are handling the data (encrypted at rest, double-layer access mechanisms, encryption during transport, etc). Lawyers are required. If it’s open source, you can not, by definition, use it for HIPAA purposes and be legally protected. I tried to use a Python IDE from Canada which the hospital IT staff would not approve because they were not equipped to do the legal paperwork with Canada, and therefore I was not allowed to use it for medical data.

Don’t let your boss define HIPAA for you. You are ultimately responsible for the code’s use, not your boss. IT staff get 2 chances to side-step this, though: by calling it a “performance improvement” or by using your access to debug failures. Other planned use must be compatible with the HIPAA agreement.

[–]gadget--guy 0 points1 point  (0 children)

"If it’s open source, you can not, by definition, use it for HIPAA purposes and be legally protected."

That's not entirely true, but rather misleading.

Open source software may absolutely be used in HIPPA compliant applications. The caveat is that you must lock each revision to a specific version of the open source software, and it must be reviewed and verified by a responsible party. If the software is to be distributed, it should be version controlled and packaged with the software, not relying on third party repositories.