Does Oracle's Configuration Manager which according to Oracle provides a "40% faster issue resolution", violate HIPAA or require specific configuration in order to comply?
This question concerns databases that contain Protected Healthcare Information (PHI). The questions scope only covers OCM and not the broader scope of Oracle support accessing the database.
The following from Oracle describes what OCM collects:
Oracle Configuration Manager can automatically gather the
configuration information of Oracle product installs, and upload this
information onto Oracle’s support systems. The configuration
information being collected by Oracle Configuration Manager includes:
• Installed patches
• Deployment platforms, dates, versions, and type
• Deployed components and applications
• Content of configuration files
• Information about network configurationsNote that the information collected by Oracle Configuration Manager is
limited to configuration information. The utility does not collect
sensitive data such as actual customer data (that is any data other
than configuration information, including actual applications or
database transactions), password hash values, log on events, etc. My
Oracle Support note 728985.1 provides a list of all the data collected
by Oracle Configuration Manager.
According to hss.gov the following information is protected by HIPAA:
The Privacy Rule protects all "individually identifiable health
information" held or transmitted by a covered entity or its business
associate, in any form or media, whether electronic, paper, or oral.
The Privacy Rule calls this information "protected health information
(PHI)."12“Individually identifiable health information” is information,
including demographic data, that relates to:• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,and that identifies the individual or for which there is a reasonable
basis to believe it can be used to identify the individual.13
Individually identifiable health information includes many common
identifiers (e.g., name, address, birth date, Social Security Number).
Best Answer
Yes, as long as the data being transmitted is monitored in a "reasonable" way.
If the database hosts PHI and oracle is assisting in the management of the database you must have a written contract with the vendor.
You have to log the vendors access into the database and ensure they cannot access PHI.
If they access PHI you will have to log the incident and report it.
Please see http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf page 38 for more information on HIPAA IT policy's.
The thing about HIPPA is that most of the requirements are vague and it asks you to make "reasonable" steps to prevent a PHI information breach (It marks these items as addressable). I've been through a couple of HIPAA audits myself.