Patient Management System

By: Rob LeVine | Asked: 06/02/2023
ForumsCategory: General questionsPatient Management System
Rob LeVineRob LeVine asked 11 months ago

Has anyone built a Patient Management System for a US-based entity using Formidable (like this)? I'm mentoring someone in Formidable and she wants to write her own system and I'm wondering about the following topics:

  • Confirming with HIPPA rules
  • Security
  • Plugins/Addons that would make the project easier
  • Anything else you learned along the way
2 Answers
Walter JonesWalter Jones answered 11 months ago
Hey Robb.  The most important thing is protecting the PHI data and making sure that access is restricted to the site, also there has to be encrypted backups. 

I have built a CJIS compliant system which has similar requirements as HIPPA, but it is behind a firewall and access is restricted based on IP. I use blogvault.net for backups and it is fantastic. 

At a minimum you want to have a strong 2FA enabled for access and encrypted backs ups.   You may also want to encryp the fields that are taking PHI like SS#, diagnosis etc.  I’m sure there is a white paper out there that lists all the requirements to make something compliant.  To truly be compliant you may need the site peer reviewed. 
Michael ClarkMichael Clark answered 11 months ago

I have not used Formidable to build HIPAA-compliant solutions, but I have had to build HIPAA-compiant systems in my previous life as an IT Director in the healthcare and mental health world(s).

Walter's right: encrypting, and abstracting private health information is key, limiting, logging, and regularly auditing access to it is essential, and encrypting the *entire* backup and recovery cycle - as part of a larger, also compliant risk prevention, response, and remediation plan - is also essential.What I learned along the way: self-audit and document it.

I also learned that even though the world of wp plugins makes life easier for admins, managers, users, clerks, and customers easier on so many levels, precious few meet the stringent data security required for organizational compliance.

But the good news: if you/they are building a practice management solution vs. a patient management solution, the path to yay! may be considerably less difficult. I'd start there: clearly distinguish between patient management and practice management, and plan the system accordingly.It could be that Formidable does not itself have to satisfy HIPAA compliance data security requirements, as long and it supports and doesn't subvert or break the fundamental HIPAA compliance of the system within which it runs. That was a distinction that helped me as me and my team at the time built solutions behind the firewall and out front, for the public customer.

Sounds like a *fun* project! hth

Michael ClarkMichael C replied 11 months ago

Also: don't forget about SOX compliance if there's any ecommerce involved in your flow. In an individual practice it may not be a big deal, but if you/your client are building an industry solution, HIPAA + SOX compliance will signal to the marketplace that you're a thoughtful and potentially more valuable solution that the run-of-the-mill camt me if you can ISVs.

Making the Best WordPress Plugin even better - Together

Take on bigger projects with confidence knowing you have access to an entire community of Formidable Experts and Professionals who have your back when the going gets tough. You got this!
Join the community
crossarrow-right