FHIR Chat · Patient search and HIPAA · implementers

Stream: implementers

Topic: Patient search and HIPAA

view this post on Zulip Manoj Shenoy (May 07 2019 at 15:48):

Hi,
I am building a patient search API - mostly using information from https://www.hl7.org/fhir/search.html#string

The search uses HTTP GET method to search for patient using name, dob etc. In the US, patient name and dob are phi and are protected by HIPAA. Because the request is a GET request the URL will have the name and dob and it will get saved in the our server logs which are not encrypted. Does this constitute a HIPAA violation?

Would it better to use an HTTP POST for this API?

view this post on Zulip Nick Radov (May 07 2019 at 15:51):

Yes you should probably use a POST based search.
http://hl7.org/fhir/http.html#search

view this post on Zulip Manoj Shenoy (May 07 2019 at 16:08):

Thank you for the quick response

view this post on Zulip Grahame Grieve (May 07 2019 at 16:09):

this is a permanent FAQ. There's nothing to stop servers storing bodies in their logs, and some do.

view this post on Zulip Grahame Grieve (May 07 2019 at 16:10):

so using POST doesn't really solve this. But post logs are distributed less widely than the url logs, so it can help

view this post on Zulip Michael Donnelly (May 07 2019 at 16:20):

I think "less widely" undersells the point. By default, IIS logs query parameters. To log the POST body in IIS, you need to download and install an additional module that doesn't ship with the OS.

view this post on Zulip Manoj Shenoy (May 07 2019 at 16:30):

For my use case, I do have control over the server policy. So i won't be logging the POST body.
As far as the client application is concerned, it would be the responsibility of the application to ensure the logs are secured properly. A violation from the client end should not affect us as per our client agreement.

view this post on Zulip Michael Donnelly (May 07 2019 at 16:31):

Solid.

view this post on Zulip Jenni Syed (May 07 2019 at 18:33):

If the server logs are accessible to people that shouldn't see data, (unless you're exporting them), then the data is accessible pretty easily as well. IE: securing the server and auditing access is a necessity either way

view this post on Zulip Jenni Syed (May 07 2019 at 18:34):

Also: caution because some languages and libraries default to dumping the request bodies where there are errors. There are many places in the stack where different pieces can leak.

view this post on Zulip Jenni Syed (May 07 2019 at 18:36):

it's important to make sure that the whole system is involved in protecting the data or auditing the access if it's done

view this post on Zulip Jenni Syed (May 07 2019 at 18:37):

"There be dragons" seems appropriate, in other words :)

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -