7. HIPAA
Privacy
Rule
Security
Rule
Administra6ve
Safeguards
Technical
Safeguards
Physical
Safeguards
Enforcement
Rule
Breach
No6fica6on
Rule
If
you’re
a
developer
trying
to
understand
the
scope
of
the
build,
then
you
need
to
focus
on
the
Technical
and
Physical
Safeguards
spelled
out
in
the
Security
Rule;
these
two
sec6ons
comprise
the
majority
of
your
to-‐do
list.
8. Who Needs to be HIPAA Compliant?
If you handle PHI then you need to be HIPAA
compliant.!
!
The HIPAA rules apply to both Covered
Entities and their Business Associates!
!
10. “required” vs. “addressable”!
Some implementation specifications are “required” and others are
“addressable.” Required implementation specifications must be
implemented. Addressable implementation specifications must be
implemented if it is reasonable and appropriate to do so; your choice
must be documented.!
!
It is important to remember that an addressable implementation
specification is not optional. !
!
When in doubt, you should just implement the addressable
implementation specifications. Most of them are best practices anyway.!
Addressable does NOT mean optional!
11. Technical Safeguards!
1. Access Control - Unique User Identification (required):
Assign a unique name and/or number for identifying and
tracking user identity.!
!
2. Access Control - Emergency Access Procedure (required):
Establish (and implement as needed) procedures for
obtaining necessary ePHI during an emergency.!
3. Access Control - Automatic Logoff (addressable):
Implement electronic procedures that terminate an electronic
session after a predetermined time of inactivity.!
!
4. Access Control - Encryption and Decryption (addressable):
Implement a mechanism to encrypt and decrypt ePHI.!
12. Technical Safeguards
5. Audit Controls (required): Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information
systems that contain or use ePHI.!
6. Integrity - Mechanism to Authenticate ePHI (addressable):
Implement electronic mechanisms to corroborate that ePHI has not
been altered or destroyed in an unauthorized manner.!
7. Authentication (required): Implement procedures to verify that a
person or entity seeking access to ePHI is the one claimed.!
!
8. Transmission Security - Integrity Controls (addressable): Implement
security measures to ensure that electronically transmitted ePHI is not
improperly modified without detection until disposed of.!
!
9. Transmission Security - Encryption (addressable): Implement a
mechanism to encrypt ePHI whenever deemed appropriate.!
13. Physical Safeguards
1. Facility Access Controls - Contingency Operations (addressable):
Establish (and implement as needed) procedures that allow facility
access in support of restoration of lost data under the disaster
recovery plan and emergency mode operations plan in the event of an
emergency.!
2. Facility Access Controls - Facility Security Plan (addressable):
Implement policies and procedures to safeguard the facility and the
equipment therein from unauthorized physical access, tampering, and
theft.!
3. Facility Access Controls - Access Control and Validation
Procedures (addressable): Implement procedures to control and
validate a person’s access to facilities based on their role or function,
including visitor control, and control of access to software programs for
testing and revision.!
HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
14. Physical Safeguards
4. Facility Access Controls - Maintenance Records (addressable):
Implement policies and procedures to document repairs and
modifications to the physical components of a facility which are
related to security (e.g. hardware, walls, doors, and locks).!
5. Workstation Use (required): Implement policies and procedures that
specify the proper functions to be performed, the manner in which
those functions are to be performed, and the physical attributes of the
surroundings of a specific workstation or class of workstation that can
access ePHI.!
6. Workstation Security (required): Implement physical safeguards for
all workstations that access ePHI, to restrict access to authorized
users.!
HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
15. Physical Safeguards
7. Device and Media Controls - Disposal (required): Implement policies
and procedures to address the final disposition of ePHI, and/or the
hardware or electronic media on which it is stored.!
!
8. Device and Media Controls - Media Re-Use (required): Implement
procedures for removal of ePHI from electronic media before the
media are made available for re-use.!
!
9. Device and Media Controls - Accountability (addressable): Maintain
a record of the movements of hardware and electronic media and any
person responsible therefore.!
!
10. Device and Media Controls - Data Backup and Storage
(addressable): Create a retrievable, exact copy of ePHI, when
needed, before movement of equipment.!
HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
16. What Else?
• Emails, texts, voicemails!
• 3rd party tools (MixPanel, Loggly, New Relic, etc)!
• Administrative Safeguards!
• Building a HIPAA compliant infrastructure!
17. Q&A Time!
Shameless Promotions:!
!
• TrueVault is hiring Developers, DevOps Engineers in San Francisco !
• Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book!
http://go.truevault.com/ios8!
!
19. May
29,
2014
Confiden6al
-‐
Not
for
What is Protected Health Information (PHI)?
PHI
is
any
informa6on
in
a
medical
record
that
can
be
used
to
iden6fy
an
individual,
and
that
was
created,
used,
or
disclosed
in
the
course
of
providing
a
healthcare
service,
such
as
a
diagnosis
or
treatment.
PHI
is
informa6on
in
your
medical
records,
including
conversa6ons
between
your
doctors
and
nurses
about
your
treatment.
PHI
also
includes
your
billing
informa6on
and
any
medical
informa6on
in
your
health
insurance
company's
computer
system.
This
includes
any
individually
iden6fiable
health
informa6on
collected
from
an
individual
by
a
healthcare
provider,
employer
or
plan
that
includes
name,
social
security
number,
phone
number,
medical
history,
current
medical
condi6on,
test
results
and
more.
Electronic
Protected
Health
Informa3on
(EPHI)
All
individually
iden6fiable
health
informa6on
that
is
created,
maintained,
or
transmiZed
electronically.
20. May
29,
2014
Confiden6al
-‐
Not
for
Covered Entity (CE)
Anyone
who
provides
treatment,
payment
and
opera6ons
in
healthcare.
It
could
include
a
doctor’s
office,
dental
office,
clinics,
psychologist,
nursing
home,
pharmacy,
hospital
or
home
healthcare
agency.
This
also
includes
health
plans,
health
insurance
companies,
HMOs,
company
health
plans
and
government
programs
that
pay
for
health
care.
Health
clearing
houses
are
also
considered
covered
en66es.
21. May
29,
2014
Confiden6al
-‐
Not
for
Business Associate
Anyone
who
has
access
to
pa6ent
informa6on,
whether
directly,
indirectly,
physically
or
virtually.
Addi6onally,
any
organiza6on
that
provides
support
in
the
treatment,
payment
or
opera6ons
is
considered
a
business
associate,
i.e.
an
IT
company
or
a
mHealth
applica6on
that
provides
secure
photo-‐sharing
for
physicians.
Other
examples
include
a
document
destruc6on
company,
a
telephone
service
provider,
accountant,
or
lawyer.
The
business
associates
also
have
the
responsibility
to
achieve
and
maintain
HIPAA
compliance
in
terms
of
all
of
the
internal,
administra6ve,
and
technical
safeguards.
A
business
associate
does
not
work
under
the
covered
en6ty’s
workforce,
but
instead
performs
some
type
of
service
on
their
behalf.