I wish I had seen this topic earlier, but I think @cintiadr is spot on.
OpenMRS can be HIPAA compliant in its present form with the right monitoring/logging/security business policies in place.
That said, there’s a lot of work that could be done to make it easier on people who are trying to do this by building native features geared specifically toward HIPAA compliance. I know engineers at Epic and Cerner spend a lot of their time worrying about these kinds of issues.
Creating and maintaining a server HIPAA compliant is a business on itself. Setting up encryption at rest and in transit by itself is nightmare-ish.
That said, accountability (who changed what) is something very hard to do from the outside.
Who accessed which patient data might be helped if the rest api or main screen have the person’s ID as a get parameter (so it’s logged on the load balancer level).
For password expiration, policy and lockouts, if we implement ldap integration, that could be implemented directly in ldap.
@prescott In addition to HIPAA requirements, does your practice need to also need to meet the meaningful use requirements? Are you planning on billing your patients through OpenMRS as well?
I guess the other question we can ask is if OpenMRS has a working module that allows the submission of claims to CMS/Private insurance or clearing houses (where the server address is configurable).
Additionally, why use OpenMRS or OpenEMR for your practice rather than going for something that is adopted for your practice (i.e. Medisoft billing software for Chiropractic service that functions as an EMR) and also a system that adopts to US requirements.
The cost of implementing OpenMRS vs practice specific software might be lower than the work needed for OpenMRS to be adopted for your practice: i.e.:
John