4

I am working on a medical related web solution where the application keeps patient's data (name, diagnoses, etc...), and we are using firebase's real time database for this. We have tried to formulate some solutions to comply to HIPAA standards.

  1. Put the name data to a different HIPAA compliant database provider like Google Cloud, then the rest of the data to firebase.
  2. Encrypt the name data in firebase, where the data are being encrypted and decrypted on a nodejs server.

  3. Encrypt the keys and/or uid's related to the patient's records. The data are being encrypted and decrypted on a nodejs server. 

    names:{
    encrypted_uid:{
        firstName: 'Sheldon',
        middleName: 'Lee',
        lastName: 'Cooper'
    }
}

Though these solution seems to work I am still skeptical to the setup.

Is there a known and an actual HIPAA compliant solution for this?

jofftiquez
  • 7,548
  • 10
  • 67
  • 121
  • 3
    There isn't. We have an insurance app and other than super basic customer or patient info, you cannot use Firebase to store *anything* remotely related to patient information, even if it's encrypted. There are a very select few HIPAA compliant online storage services but for the most part you need to store everything in it and not link to outside data (or vice versa) – Jay Dec 12 '16 at 20:25
  • Exactly what I have heard from forums. Thanks @Jay Anyways this is not related to my question, can you suggest a good way to encrypt a key in nodejs? Is bcrypt good enough? – jofftiquez Dec 13 '16 at 03:28
  • @CENT1PEDE I'm also in the same boat, are you still using firebase with conjuction with bcrypt? – jasan Feb 28 '17 at 22:45
  • @jasan Yes I'm still using `bcrypt` to encrypt the id to de-identify the connection of sensitive data to the user who own it. If you're interested I'm going to write a glog about it on my website, you can just contact me there if you need more help. :) My website is https://randomcodetips.com – jofftiquez Mar 01 '17 at 02:24

0 Answers0