NoSQL databases for PHI?
I don't see why it would be a problem. Actually, I'd say the largest part of healthcare IT runs on a NoSQL solution called MUMPS. You'd just have to be careful how it was implemented, but the argument for using a NoSQL solution actually makes a lot of sense in healthcare. You can read more about MUMPS and it possibly being replaced by the above NoSQL solutions you mention: http://www.emrandhipaa.com/emr-and-hipaa/2011/10/18/analysis-of-mumps-in-healthcare-emr/
I'm sure many would love for MUMPS to be gone and one of the solutions you described be put in place. Although, up until now I can't say I've seen anyone do it yet.
To add to @linda's answer, the database is just another layer in the stack of components that create an application. The security of that system is based upon the combination of all components.
Bottom line:
MongoDB, MySQL, Postgres, etc... They are all just ways of organizing bits for storage/retrieval. There are not necessarily more security flaws in one or the other simply because one is relational and another is object-oriented.
If you are implementing a new EMR or migrating, Be sure to talk to your IT guys about project specifics before making any CXO decisions! I've experienced too many tales of management making large sweeping and disastrous decisions without IT Input.
For HIPAA compliance, all pt info needs to be encrypted 'in transit' and 'at rest'. - Source
Also, i believe Epic also uses Cache in some of their products, as well. It's an object database.
It's not so much about which tool you use to store the data, but rather how you secure that data. I don't see any reason why a NoSQL solution couldn't be secured to an appropriate level, just as a RDBMS solution could be done in a way that was completely insecure.
Things to consider in securing the data (this is by no means an exhaustive list):
- Access to the server (physical and netsecurity)
- Access to the data on the server (access rights)
- Encryption (I've seen debates over whether it's necessary to encrypt the data)