I've recently been charged with the task of figuring out how to store the medical information of patients. A client of ours is having us create online patient referral forms, and the data needs to be stored online for viewing by authorized office personal and doctors.
I know that information privacy is important, and I also know that if something messes up, I can be held personally responsible for it. That being said, how do you transmit and store data in a HIPPA compliant manner? What are some good resources on the subject?
Our development environment is PHP + MySQL if that helps at all.
Given that you are using a tool stack that, well, has historically had a large number of security issues and that is difficult to get clarity on be cautious.
It is possible to build capable and relatively secure systems using php but it takes a correspondingly greater effort to do so. You will want to pay special attention to the global php settings (if you turn on register_globals even in development you deserve to get sued for malpractice) and you will want to understand the different layers of encryption that support your application. You also need to engineer your applications workflow with an eye towards separating out different kinds of access. A patient filling out a form should not be able to access any other patient records. A doctor or clinical assistant should be able to view only those records their role requires; any patient record access should be recorded in an audit log that is not accessible to any user directly.
Also, drop mysql for postgres; php support for postgres is very good and postgres supports in database public key encryption which you will want.