Is Sakai HIPPA compliant?

[William]

Hi Sakai Community!

I am wondering if Sakai is compliant with HIPAA guidelines. After doing a quick search of this, I was only able to find the following online from Rutgers (http://rci.rutgers.edu/~oirt/sakai/datasecurity/):



Would anyone have any additional information about whether Sakai is indeed HIPAA compliant?

Thanks!
Will

[Adam Marshall]

is there a quick reference to HIPAA, ie, a list of things a system must do to comply?

adam

On 29 Feb 2016, at 21:24, William wrote:

Hi Sakai Community!

I am wondering if Sakai is compliant with HIPAA guidelines. After doing a quick search of this, I was only able to find the following online from Rutgers (http://rci.rutgers.edu/~oirt/sakai/datasecurity/):

<Auto Generated Inline Image 1.png>

Would anyone have any additional information about whether Sakai is indeed HIPAA compliant?

Thanks!
Will

--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+...@apereo.org.
To post to this group, send email to sakai...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/sakai-user/.
<Auto Generated Inline Image 1.png>

[William]

Hi Adam,

I'm not sure if there is a list available online, but I did do a quick search about Blackboard and read that "Blackboard Student Services’ software o erings are both HIPAA and FERPA compliant at the network transport level..."

I found that source here: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiN1Nz8953LAhVGvIMKHS69BCAQFggkMAE&url=http%3A%2F%2Fwww.blackboard.com%2Fgetdoc%2F8309d330-e397-4bf0-96b5-d99f4736f2f9%2Fstudentservices_data-security-policy.aspx&usg=AFQjCNHNzHn5UwS8QtaAzCVsV00KrhsLhw&sig2=JGbQLwR1obpxbvrC6QW_xQ&bvm=bv.115339255,d.amc

[Pat Miller]

My understanding is that HIPAA compliance relates to health related data tied to an individual student.  Why would someone hold health data on a student in an LMS?  A campus clinic system would have to be HIPAA compliant, yes!  But Sakai??

Pat Miller

Notre Dame

[Antonio Barron]

Pat,

The preliminary inquiry at Bradley relative to Sakai and HIPAA was prompted by the tentative possibility of student counselors recording videos of themselves working with volunteer clients. At least, that's my understanding. However, I'm not sure this use case is possible.

Tony Ramirez Barron

[Antonio Barron]

Adam and fellow list members,

Here is a HIPAA security summary from a U.S. government source:

http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/

Tony Ramirez Barron

[info]

We just had another inquiry about Sakai's HIPPA compliance on the Sakai info email. I asked for their use case for needing HIPPA compliance and am posting their response below just for our information purposes.

"We are looking for a way for trip leaders on foreign and field trips to have access to students' health information electronically. We are also looking into a Business Associate Agreement with Google so they could be accessed in GSuite apps. Previously, we have used paper or encrypted flash drives--but we're looking for a method that's accessible by mobile device."

Best,

Michelle

[Neal Caidin]

I would be wary about storing electronic health records in Sakai unless one has a thorough understanding of permissions and tested the configuration.

-- Neal

To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+unsubscribe@apereo.org.

[Tiffany Stull]

Hi all,

Sakai is not HIPAA compliant.  For an instance of Sakai to be HIPAA compliant, as Neal mentioned, there would need to be some very carefully set up permissions, etc. to protect the data.

Additionally, every staff member who has administrative access in the system would need to receive HIPAA certification, because they would also have access to the users' health records.

Tiffany Stull

[Matthew Jones]

Yeah, I don't believe we can claim to be any better than Blackboard on this. Below is in their footer

I don't see any specific disclaimer for Canvas but there is discussion on what it would take [1], and sounds like both work in Sakai as well as work locally among the users of Sakai as Tiffany mentioned. I feel like there are a lot of features, like IP address & copy/paste restrictions as well as additionally logging and verification that would need to minimally be developed.

"B. HIPAA Disclaimer

Blackboard does not warrant or provide any assurances that your use of the Products will comply with the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). . .  http://www.blackboard.com/footer/terms-of-use.aspx

[1] https://community.canvaslms.com/thread/13248-hipaa-compliance-plans

[info info]

My response to her was that we were not HIPPA compliant but I wanted to know why they were interested in having Sakai be HIPPA compliant. I've had more than one inquiry about that this year and decided more data would be good to have as people make their LMS decisions.

To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+unsubscribe@apereo.org.

To post to this group, send email to sakai...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/sakai-user/.

--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+unsubscribe@apereo.org.

To post to this group, send email to sakai...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/sakai-user/.

--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+unsubscribe@apereo.org.