Open IFPHA-Keith opened 2 years ago
awentzel
commented
1 year ago What's the status of this work? It would be great if all issues managed on GH could be Hippa Compliant with a BAA contract in place for my entire organization.
it's unclear what level of support GitHub has currently or whats on the roadmap to support this.
maryLgray
commented
1 year ago Hi there. We're still alive but do not, at the moment, have engineering support in place. We hope to secure funding in the next month that would bring on additional resources. One thing to note from our research: HIPAA compliance for web apps is more of a matter of an organization taking legal liability for data handling that's gathered through the app than the app itself providing HIPAA compliance. On the roadmap: understanding the best ways to secure data shared across organizational boundaries while also being privacy-preserving for the individual clients.
awentzel
commented
1 year ago Hi there. We're still alive but do not, at the moment, have engineering support in place. We hope to secure funding in the next month that would bring on additional resources. One thing to note from our research: HIPAA compliance for web apps is more of a matter of an organization taking legal liability for data handling that's gathered through the app than the app itself providing HIPAA compliance. On the roadmap: understanding the best ways to secure data shared across organizational boundaries while also being privacy-preserving for the individual clients.
At a 50,000-foot level, essentially a lightweight ZenDesk-type functional system built into GitHub.
To expand on this. I evaluated using a GitHub Project board to track issues (more from a customer support perspective where there may not always be source code change). This could be considered a 'draft item' in your current UI, but functionally, more of a todo type management interface. On this note, as well as all issues within an organization, knowing that the content of those issues for 'Private' projects is secure in transit and at rest would suffice.
There is a need to make HCH HIPPA Compliant, as this will be a requirement for all of the Healthcare-centric CBOs. By making the tool HIPPA compliant, it will likely cover most of the other security concerns. We may also need to explore methods to protect Social Security Numbers (SSN) or parts of Social Security Numbers. Some of the CBOs have already expressed some concern about adding patient/client SSNs into the system.
Link to HIPPA Guidelines: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html