clinical:hipaa

v0.2.3Published 7 years ago

This package has not had recent updates. Please investigate it's current state before committing to using it in your project.

clinical:hipaa

HIPAA Compliance for Meteor Apps. Meta package containing audit log, user accounts, and ssl security.

==================================

Table of Contents

  • Installation
  • Packages
  • HIPAA Compliance Self-Assessment Checklist
  • Hosting Providers Willing to Sign Business Associate Agreements (BAA)
  • HIPAA Compliant Scale Out Using Meteor
  • Policies and Procedures
  • Roles API
  • Crypto API
  • Hipaa API
  • HipaaPolicies API

==================================

Installation

meteor add clinical:hipaa

================================================

HIPAA Compliance Questionaire

https://catalyze.io/hipaa-self-assessment-checklist

==================================

Packages

This is a meta package, and includes the following sub-packages:

accounts-base
accounts-password
alanning:roles
clinical:hipaa-audit-log
clinical:hipaa-policies
clinical:hipaa-routes
force-ssl
jparker:crypto-aes

================================================

HIPAA Compliance Self-Assessment Checklist

https://catalyze.io/hipaa-self-assessment-checklist

================================================

Hosting Providers Willing to Sign Business Associate Agreements (BAA)

Modulus.io
Catalyze.io

================================================

HIPAA Compliant Scale Out Using Meteor

Phase 1 - Development (1 server)
sudo meteor

Phase 2 - Platform as a Service (2 to 10 servers)
modulus.io - Node/Meteor App Hosting on AWS compose.io - Mongo Hosting on AWS

Phase 3 - Infrastructure as a Service (11+ servers)
Amazon Web Services
Deploying a Meteor App on Elastic Beanstalk

Phase 4 - Federal HIPAA Amazon Web Services - HIPAA/Federal Tier
Amazon Web Services - HIPAA Whitepaper

==================================

Roles API

The Roles API has two primary method:

1Roles.addUsersToRoles(userId, rolesArray, group)
2Roles.userIsInRole(userId, rolesArray, group)

You can see their use in the following code example:

1if(Meteor.isServer){
2  var userId = Accounts.createUser({
3    email: user.email,
4    password: "apple1",
5    profile: { name: user.name }
6  });
7  Roles.addUsersToRoles(userId, ['admin', 'manage-users', 'view-secrets']);
8
9  Meteor.publish('secrets', function (group) {
10    if (Roles.userIsInRole(this.userId, ['view-secrets','admin'], group)) {
11      return Meteor.secrets.find({group: group});
12    } else {
13      // user not authorized. do not publish secrets
14      this.stop();
15      return;
16    }
17  });
18}

There is also an isInRole convenience helper for client side.

1<template name="header">
2  <header>
3    {{#if isInRole 'admin'}}
4      {{> admin_nav}}  
5    {{/if}}
6  </header>
7</template>

==================================

Crypto API

There's technically nothing in HIPAA that specifically says that an organization has to encrypt their data at rest; but many people prefer to do so. Of those who do, there's also differing opinions on whether the default encryption is sufficient that comes with the operating system or database. For those who are particularly paranoid, and don't trust the operating system or database, the clinical:hipaa package comes with an AES encryption algorithm, so you can do in-app encryption and ensure that your data-at-rest is secure.

1encrypted = CryptoJS.AES.encrypt("Message", "Passphrase");
2console.log(encrypted.toString());
3// 53616c7465645f5fe5b50dc580ac44b9be85d240abc5ff8b66ca327950f4ade5
4
5decrypted = CryptoJS.AES.decrypt(encrypted, "Passphrase");
6console.log(decrypted.toString(CryptoJS.enc.Utf8));
7// Message

================================================

Hosting Providers Willing to Sign Business Associate Agreements (BAA)

Modulus.io
Catalyze.io

================================================

HIPAA Compliant Scale Out Using Meteor

Phase 1 - Development (1 server)
meteor add clinical:hipaa

Phase 2 - Platform as a Service (2 to 10 servers)
modulus.io - Node/Meteor App Hosting on AWS compose.io - Mongo Hosting on AWS

Phase 3 - Infrastructure as a Service (11+ servers)
Amazon Web Services
Deploying a Meteor App on Elastic Beanstalk

Phase 4 - Federal HIPAA Amazon Web Services - HIPAA/Federal Tier
Amazon Web Services - HIPAA Whitepaper

==================================

Licensing

All code is MIT. Use as you will. Disrupt the system. It needs all the help it can get.

Policy and Procedures and Creative Commons.