HIPAA is a good guideline, but as you read it you'll see its more procedural or legal than technical.
The rules of thumb that I've been taught for making my software HIPPA compliant are: 1. Audit trail, be able to show who did what and when. It does nothing to prevent a breach, but ensures that if there is they can punish someone 2. Secure channels (VPN, SSL, etc. Nothing goes over the wire in the clear) 3. Reasonably secure logins, good passwords, logins timeout 4. Audit trail. Its important. HIPAA doesn't go to the length that something like PCI (credit card processing) does but its a good place to start. Since you specifically asked about SSNs, check with the Social Security Administration. They have rules, guidelines, and suggestions for those as well. Theres even one that says "don't use the SSN as an ID" and "don't ask for it if you don't need it" which may be a good idea in your case, rather than decide how to secure it, decide if you even need to transmit it. On Thu, Mar 11, 2010 at 6:29 AM, Andrew Latham <[email protected]> wrote: > This covers most of what you are looking for... > > http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act > > internal company storage falls down to Civil Procedure Law. (What > ever a Judge can ask in a lawsuit and what discovery he feels is safe > for the public domain.) > > > ~ > Andrew "lathama" Latham > [email protected] > > * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software > * Learn more about Linux http://en.wikipedia.org/wiki/Linux > * Learn more about Tux http://en.wikipedia.org/wiki/Tux > > > > On Wed, Mar 10, 2010 at 10:07 PM, Travis Paul <[email protected]> wrote: >> Thanks Raphael >> >> On Wed, Mar 10, 2010 at 5:04 PM, RAPHAEL WOLFF <[email protected]> >> wrote: >>> >>> You might go to the Electronic Frontier Foundation web site and submit >>> your question. >>> >>> >>> >>> On 3/10/2010 8:02 PM, Travis Paul wrote: >>> >>> Does anyone know where I can find the federal regulations (USA) for >>> storing and transmitting personal information such as Social Security >>> Numbers (if any exists)? >>> >>> I've only been able to find state-specific documentation, is that my only >>> option? >>> >>> >>> >>> >>> _______________________________________________ >>> Fwlug mailing list >>> [email protected] >>> http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org >>> >>> >>> _______________________________________________ >>> Fwlug mailing list >>> [email protected] >>> http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org >>> >> >> >> _______________________________________________ >> Fwlug mailing list >> [email protected] >> http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org >> >> > > _______________________________________________ > Fwlug mailing list > [email protected] > http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org > -- ----- Jonathan Bartels _______________________________________________ Fwlug mailing list [email protected] http://fortwaynelug.org/mailman/listinfo/fwlug_fortwaynelug.org
