HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Can OCPortal be used for healthcare?

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#108237 (In Topic #21092)
Avatar

Fan in training

I need to setup a portal where users are assigned to certain facilities. Each facility has a certain department those users belong to and should only be able to access file uploads and documents pertaining to that department.

Can this be done with OC Portal? And if so, is it HIPAA compliant?

Thanks
Back to the top
 
Posted
Rating:
#108239
Avatar

Community saint

You could set up Usergroups for each department, then you could set up Download categories which are only accessible by the specific Usergroups. So yes, this can be done quite easily.

I have no idea if ocPortal is HIPAA compliant. It might be but I don't think it has specifically aimed to be. It does comply with many standards and it takes security seriously. From what I just read, it seems your hosting provider would need to be HIPAA compliant also, but I do think you could configure ocPortal to comply. There is some support for encryption, and it has audit and tracking tools built in. The other requirements seem easy enough to meet.
Back to the top
 
Posted
Rating:
#108242
Avatar

Fan in training

I will try that and see if that will work. Thank you for the information. One other question, after I have already ran the setup wizard, I forgot to disable the calendar. Is there a way to go back and do so?
Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris Graham)  
Rating:
#108244
Avatar

Community saint

Yes, if you go to Admin Zone > Structure > Addons

Scroll down a little bit and put a tick in the checkbox for Calendar, then click the 'Install/uninstall selected addons' button.

Ask as many questions as you like, if I can't answer them there's a good chance someone else will :)
Back to the top
 
Posted
Rating:
#108246
Avatar

Fan in training

In regards to setting up departments as user groups...there are different people who would belong to the department but only certain ones get to download certain files. Another words. Dr A secretary in Cardiology can only download from Dr A files. Dr B secretary from Orthopedics can only download Dr B files. But also Dr B in Cardiology needs his secretary to download files. Each dr thats in the department has their own secretary. So it needs to be specific rules.
Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris Graham)  
Rating:
#108247
Avatar

Community saint

And this is one of the questions that I will let someone else answer. I do think it can be done somehow with ocPortal, just not sure quite how…

Outside of ocPortal capabilities though, if the files are designed to actually be downloaded, rather than viewed in the browser, then maybe a simple solution would be to ensure that all uploaded department files are passworded zip archive files. Assuming the Doctors will be uploading their own files, then they will use a personal password for their personal files, and a department password for shared files. Not saying it's the best solution, but it's a solution, and it adds another layer of security to the actual files. You could perhaps add a custom download field (yes or no selection) for the field Department File so that there is a distinction.



Obviously you can edit the templates if you want to strip or add things, and you can have child categories of Downloads so you can set up the structure you need. I'll shut up now, just some ideas which are simple enough but I may be way off the mark with what you envision :) I would wait for a proper answer as this might be a lot of messing about trying to get everyone to make passworded zips, just sharing my thoughts.
Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris Graham)  
Rating:
#108256
Avatar

Community saint

I think I have a way this can be accomplished with just usergroups, usergroup permissions, and download categories and subcategories. Depending on the number of departments, number of doctors, and number of secretaries, this could be a complex and tedious task.

What is needed is a usergroup for each department, for each doctor, and for each secretary. For example, you would have usergroups:

Cardiology
Cardiology-Doctor-A
Cardiology-Doctor-A-Secretary
Cardiology-Doctor-B
Cardiology-Doctor-B-Secretary
Orthopedics-Doctor-C
Orthopedics-Doctor-C-Secretary
Orthopedics-Doctor-D
Orthopedics-Doctor-D-Secretary
etc.

Doctor A would be assigned to the Cardiology usergroup and the Cardiology-Doctor-A usergroup. Doctor A secretary would be assigned to the Cardiology usergroup and the Cardiology-Doctor-A-Secretary usergroup. And so on…

Then create download categories for each department, and then subcategories for each doctor in each department. For example, you would have download categories:

Cardiology
Orthopedics

And then create the necessary Doctor-A and Doctor-B subcategories under Cardiology and Doctor-C and Doctor-D subcategories under Orthopedics.

The tricky part is going to be assigning the correct permissions to each category. For the main Cardiology download category, all usergroups that start with Cardiology would have view access. Uncheck view access and disable permissions for all other usergroups as necessary. For Doctor-A subcategory, you would assign the necessary view/add/edit permissions to Cardiology-Doctor-A usergroup and only set view permissions for Cardiology-Doctor-A-Secretary usergroup. Uncheck view access and disable permissions for all other usergroups as necessary. 
Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris Graham)  
Rating:
#108260
Avatar

Community saint

If your plans are not set to a deadline then the privacy options in v10/Composr will certainly make this much easier to achieve. The privacy settings apply to most content, including Downloads. As you can see from the screenshot below, the Doctor could make certain files viewable to themselves only and could then add a secretary (or secretaries) as additional access on that specific file.

If Secretaries are uploading files, they can share them with the Doctor/s in the same way. Those added to the additional access list for a file will be sent a notification. All files could be uploaded to a single Download category for that particular Department. No Usergroups are needed for this to work, though maybe they will still be needed for access rights elsewhere (and things like the if_in_group Comcode tag which allows the showing of specific content to specified groups only).

No date or estimation for the v10 release yet, but if can you remain patient...

If you can't remain patient, you could experiment with setting up the Downloads in v10 alpha which has tons of improvements to lots of things but isn't ready for a live production site as it's still in development. Great for planning the future though, cos it is the future :)
Back to the top
 
Posted
Rating:
#108272
Avatar

Regarding HIPAA, that's a fairly obscure thing from our point of view – industry-specific, country-specific. But for these kind of guidelines it definitely involves a technical person/team doing a detailed assessment and putting in place a written set of policies and compliance report. I've gone through similar things myself w.r.t. banks, telecommunication companies, and credit card companies. It probably is like 99% a hosting and procedural issue.

I had a quick look and I saw "encryption and decryption.". That makes sense, that medical data would be encrypted. ocPortal doesn't really have much in terms of that (you can encrypt CPFs, but it's not intended for casual use, more for encrypting passwords). You'd probably solve it by having the web host implement it on a filesystem-level (kind of like how you can do encrypted NTFS partitions in Windows).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris Graham)  
Rating:
#108348

Fan in action

Having done a bunch of HIPPA, PCI, and DOD work, my experience might be helpful here.

ocPortal is a tool. Just like Java or Ruby or WordPress. No tool itself is compliant with any spec. It is how you the developer use that tool to build your website. As Chris alludes to, compliance for any spec requires you to follow their rules regarding safety of data, encryption, etc. A tool vendor or open source community is not, cannot, certify a development tool for any specific spec standard.

HTH
Back to the top
 
Posted
Item has a rating of 5 (Liked by KingBast)  
Rating:
#108366
Avatar

Fan in training

Thanks for the ideas. I will look at it further and play around with it to see if it will fit my needs.

Thanks to all of you.
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: