Secure Database - HIPPA Compliance - Possible solutions
Our organization, University of California, San Francisco Dept of Surgery has a signficant Umbraco installation and we are looking to add Contour for creation of emails. We are really not interested in having online patient questionaires be stored in a database because the db must be secured by SSL to comply with US HIPPA requirements.
Contour stores all the form responses as plaintext xml -- is this right? If so, this causes problems for us with HIPAA compliance since they will have patient data.
Possible solutions:
1. The form data to not be stored at all and just be send to the appropriate person via our MS exchange email system -- is this possible?
2. Is there an ability to store the form reply on an encrypted database.
3. Can we store the data as "deintified data" - remove patient name, dob, UCSF record no. and store.
I'm not sure on the first two, the best person to answer those would be the other Tim, Tim G who looks after Contour at HQ.
For the third one, you could write a workflow that manipulated the records, to be fired AFTER you've sent the email (which owuld be another workflow). If you're not bothered about keeping the records, you could potentially delete the record entirely using the Contour API, or de-personalise it if you'd rather keep some of the data. The developer docs have some examples of writing your own workflows and interacting with the records in the system using the API. It'll take a bit of cding to put together, but it should be do-able.
We created a workflow to avoid storing the records.
Now another group wants an encypted db. Do you know if their are workflow examples of this or can you point us in the right direction as you did w/the UFFOMs instruction above.
Secure Database - HIPPA Compliance - Possible solutions
Our organization, University of California, San Francisco Dept of Surgery has a signficant Umbraco installation and we are looking to add Contour for creation of emails. We are really not interested in having online patient questionaires be stored in a database because the db must be secured by SSL to comply with US HIPPA requirements.
Contour stores all the form responses as plaintext xml -- is this right? If so, this causes problems for us with HIPAA compliance since they will have patient data.
Possible solutions:
1. The form data to not be stored at all and just be send to the appropriate person via our MS exchange email system -- is this possible?
2. Is there an ability to store the form reply on an encrypted database.
3. Can we store the data as "deintified data" - remove patient name, dob, UCSF record no. and store.
We would appreciate some gudiance.
Hiya,
I'm not sure on the first two, the best person to answer those would be the other Tim, Tim G who looks after Contour at HQ.
For the third one, you could write a workflow that manipulated the records, to be fired AFTER you've sent the email (which owuld be another workflow). If you're not bothered about keeping the records, you could potentially delete the record entirely using the Contour API, or de-personalise it if you'd rather keep some of the data. The developer docs have some examples of writing your own workflows and interacting with the records in the system using the API. It'll take a bit of cding to put together, but it should be do-able.
Hope that helps!
Comment author was deleted
There is an option to disable local record storage but you'll have to do this in the db, on the UFFORMs table, StoreRecordsLocally field
Storing in an encrypted db would be possible with a custom workflow
Hi Tim,
We're using Contour now and it's an outstanding product - see https://pediatric.surgery.ucsf.edu/patient-center/intake-forms/intake-follow-up-form.aspx
We created a workflow to avoid storing the records.
Now another group wants an encypted db. Do you know if their are workflow examples of this or can you point us in the right direction as you did w/the UFFOMs instruction above.
Thanks.
Richard
is working on a reply...