We (my client's IT department) have medical apps to port to cloud
architecture but issue of use of public vs. private cloud (Google App
engine vs. hosted vmware virtual appliance) hinges on this issue.
Then again, wholesale countrytapping is now the norm, so there is
precedence...
--
G
ironically, in one past life, i worked on software for doctors to use
for clinical trials. before the medical data was even imported into
our application, all patient info such as name, DOB, SSN, sex, age,
etc., were masked so that they were not available to the doctors. we
only had patient ID numbers and their data.
one place you can start out to find out more about compliance and
HIPAA requirements is here:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities
you may also need to hire a consultancy or company that certifies
compliance. it's probably worthwhile to pursue this before and during
the development process. however, we're not lawyers here so we cannot
give specific advice for your case.
hope this helps!
-- wesley
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"Core Python Programming", Prentice Hall, (c)2007,2001
"Python Fundamentals", Prentice Hall, (c)2009
http://corepython.com
wesley.j.chun :: wesc...@google.com
developer relations :: google app engine
We know HIPAA requirements, not a problem for us. What we don't know
is google's security and confidentiality of data.
thanks,
Ralph
On Jan 10, 9:10 pm, "Wesley Chun (Google)" <wesc+...@google.com>
wrote:
> greetings! you asked a question that's common but very dependent on
> your implementation. App Engine has no specific compliance features,
> so it's all up to your implementation. the first thing you need to do
> is to separate the patient information and their medical data. if
> they're together, then it's very likely that you're not compliant.
>
> ironically, in one past life, i worked on software for doctors to use
> for clinical trials. before the medical data was even imported into
> our application, all patient info such as name, DOB, SSN, sex, age,
> etc., were masked so that they were not available to the doctors. we
> only had patient ID numbers and their data.
>
> one place you can start out to find out more about compliance andHIPAArequirements is here:
>
> http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities
>
> you may also need to hire a consultancy or company that certifies
> compliance. it's probably worthwhile to pursue this before and during
> the development process. however, we're not lawyers here so we cannot
> give specific advice for your case.
>
> hope this helps!
> -- wesley
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> "Core Python Programming", Prentice Hall, (c)2007,2001
> "Python Fundamentals", Prentice Hall, (c)2009
> http://corepython.com
>
> wesley.j.chun :: wesc+...@google.com
> developer relations :: google app engine
>
> On Jan 7, 11:49 am, G <culturea...@gmail.com> wrote:
>
> > My _guess_ is that either could easily run into compliance concerns.
>
> > Then again, wholesale countrytapping is now the norm, so there is
> > precedence...
>
> > --
> > G
>
> > RalphWSiegler wrote:
> > > would the datastore of the GAE beHIPAAcompliant as to privacy and
Btw, Google Health may share information with third parties without
user authorization: http://www.google.com/intl/en_us/health/hipaa.html
So you do need to build some infrastracture to supplement AppEngine
for compliance purposes.
On Jan 22, 11:25 am, RalphWSiegler <ralphsieg...@gmail.com> wrote:
> Hi Wesley, really was asking if data stored with google was secure
> from access by google employees or third party or other applications
> for casual browsing, data mining, etc. Could as well ask if GEA is
> safe place to store credit card numbers.
>
> We knowHIPAArequirements, not a problem for us. What we don't know
> is google's security and confidentiality of data.
>
> thanks,
>
> Ralph
>
> On Jan 10, 9:10 pm, "Wesley Chun (Google)" <wesc+...@google.com>
> wrote:
>
> > greetings! you asked a question that's common but very dependent on
> > your implementation. App Engine has no specificcompliancefeatures,
> > so it's all up to your implementation. the first thing you need to do
> > is to separate the patient information and theirmedicaldata. if
> > they're together, then it's very likely that you're not compliant.
>
> > ironically, in one past life, i worked on software for doctors to use
> > for clinical trials. before themedicaldata was even imported into
> > our application, all patient info such as name, DOB, SSN, sex, age,
> > etc., were masked so that they were not available to the doctors. we
> > only had patient ID numbers and their data.
>
> > one place you can start out to find out more aboutcomplianceandHIPAArequirements is here:
>
> >http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities
>
> > you may also need to hire a consultancy or company that certifies
> >compliance. it's probably worthwhile to pursue this before and during
> > the development process. however, we're not lawyers here so we cannot
> > give specific advice for your case.
>
> > hope this helps!
> > -- wesley
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > "Core Python Programming", Prentice Hall, (c)2007,2001
> > "Python Fundamentals", Prentice Hall, (c)2009
> > http://corepython.com
>
> > wesley.j.chun :: wesc+...@google.com
> > developer relations :: google app engine
>
> > On Jan 7, 11:49 am, G <culturea...@gmail.com> wrote:
>
> > > My _guess_ is that either could easily run intocomplianceconcerns.
>
> > > Then again, wholesale countrytapping is now the norm, so there is
> > > precedence...
>
> > > --
> > > G
>
> > > RalphWSiegler wrote:
> > > > would the datastore of the GAE beHIPAAcompliant as to privacy and
> > > > security of information.
>
> > > > We (my client's IT department) havemedicalapps to port to cloud
App Engine is currently not HIPAA- nor SAS 70-compliant, so highly
sensitive data (HIPAA/PHI data, SSNs, CC numbers, etc.) should not be
stored on App Engine. it is not a good match for that type of data at
this point in time unless, as the previous poster pointed out, that
you've done some bulletproof encryption of that data. unfortunately, i
cannot currently comment on any timeline to get any sort of data
privacy certification.
with that said however, Google is still a very responsible company
that works very hard on security at all levels. i can also refer you
to a whitepaper from a few years ago which highlights our efforts in
this regard. although written for customers of Google Apps, many of
the same policies apply to App Engine as well, and i'm sure you'll be
able to figure out which ones those are. here's the link to that
whitepaper:
http://www.google.com/a/help/intl/en/admins/pdf/ds_gsa_apps_whitepaper_0207.pdf
bottom-line: do not put unencrypted private data into App Engine at this time.
best regards,
-- wesley
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"Core Python Programming", Prentice Hall, (c)2007,2001
"Python Fundamentals", Prentice Hall, (c)2009
http://corepython.com
wesley.j.chun :: wesc...@google.com
We still would find GEA very useful for general medical procedural and
diagnostic information of encyclopedic nature
best regards,
Ralph
On Jan 25, 6:38 pm, "Wesley C (Google)" <wesc+...@google.com> wrote:
> greetings again everyone,
>
> App Engine is currently not HIPAA- nor SAS 70-compliant, so highly
> sensitive data (HIPAA/PHI data, SSNs, CC numbers, etc.) should not be
> stored on App Engine. it is not a good match for that type of data at
> this point in time unless, as the previous poster pointed out, that
> you've done some bulletproof encryption of that data. unfortunately, i
> cannot currently comment on any timeline to get any sort of data
> privacy certification.
>
> with that said however, Google is still a very responsible company
> that works very hard on security at all levels. i can also refer you
> to a whitepaper from a few years ago which highlights our efforts in
> this regard. although written for customers of Google Apps, many of
> the same policies apply to App Engine as well, and i'm sure you'll be
> able to figure out which ones those are. here's the link to that
> whitepaper:
>
> http://www.google.com/a/help/intl/en/admins/pdf/ds_gsa_apps_whitepape...
>
> bottom-line: do not put unencrypted private data into App Engine at this time.
>
> best regards,
> -- wesley
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> "Core Python Programming", Prentice Hall, (c)2007,2001
> "Python Fundamentals", Prentice Hall, (c)2009
> http://corepython.com
>
> wesley.j.chun :: wesc+...@google.com
Amazon’s white Paper on Achieving Hipaa compliance is not Hipaa compliant. Public Cloud Hipaa compliance where the data is stored in the cloud is not likely to ever be possible. You can however use the Cloud to accelerate your App and deliver non-private data.
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/ivmzu195XRMJ.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to google-appengi...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.