hxrefactored - truevault - jason wang
Post on 09-May-2015
193 Views
Preview:
TRANSCRIPT
Decoding HIPAA for Developers!Jason Wang!Founder & CEO, TrueVault!
1996 - HIPAA!!
1996 - HIPAA!
1996 – HIPAA!!2009 – HITECH!!2013 – Final Omnibus Rule Update!
HIPAA Acronyms!
PHI – Protected Health Information!!CE – Covered Entities!BA – Business Associates!BAA – Business Associate Agreement!
HIPAA
Privacy Rule Security Rule
Administra6ve Safeguards
Technical Safeguards
Physical Safeguards
Enforcement Rule
Breach No6fica6on Rule
HIPAA
Privacy Rule Security Rule
Administra6ve Safeguards
Technical Safeguards
Physical Safeguards
Enforcement Rule
Breach No6fica6on Rule
If you’re a developer trying to understand the scope of the build, then you need to focus on the Technical and Physical Safeguards spelled out in the Security Rule; these two sec6ons comprise the majority of your to-‐do list.
Who Needs to be HIPAA Compliant?
If you handle PHI then you need to be HIPAA compliant.!!The HIPAA rules apply to both Covered Entities and their Business Associates!!
Who Certifies HIPAA Compliance?
The short answer is no one.!
“required” vs. “addressable”!
Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented.!!It is important to remember that an addressable implementation specification is not optional. !!When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.!
Addressable does NOT mean optional!
Technical Safeguards!1. Access Control - Unique User Identification (required):
Assign a unique name and/or number for identifying and tracking user identity.!
!2. Access Control - Emergency Access Procedure (required):
Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.!
3. Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.!
!4. Access Control - Encryption and Decryption (addressable):
Implement a mechanism to encrypt and decrypt ePHI.!
Technical Safeguards 5. Audit Controls (required): Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information systems that contain or use ePHI.!
6. Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.!
7. Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.!
!8. Transmission Security - Integrity Controls (addressable): Implement
security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.!
!9. Transmission Security - Encryption (addressable): Implement a
mechanism to encrypt ePHI whenever deemed appropriate.!
Physical Safeguards
1. Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.!
2. Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.!
3. Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.!
HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
Physical Safeguards
4. Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).!
5. Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.!
6. Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.!
HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
Physical Safeguards
7. Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.!
!8. Device and Media Controls - Media Re-Use (required): Implement
procedures for removal of ePHI from electronic media before the media are made available for re-use.!
!9. Device and Media Controls - Accountability (addressable): Maintain
a record of the movements of hardware and electronic media and any person responsible therefore.!
!10. Device and Media Controls - Data Backup and Storage
(addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.!
HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
What Else?
• Emails, texts, voicemails!
• 3rd party tools (MixPanel, Loggly, New Relic, etc)!
• Administrative Safeguards!
• Building a HIPAA compliant infrastructure!
Q&A Time!Shameless Promotions:!!• TrueVault is hiring Developers, DevOps Engineers in San Francisco !
• Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book!http://go.truevault.com/ios8!
!
Thank you!
Jason Wang Founder & CEO, TrueVault
May 29, 2014 Confiden6al -‐ Not for Distribu6on
What is Protected Health Information (PHI)? PHI is any informa6on in a medical record that can be used to iden6fy an individual, and that was created, used, or disclosed in the course of providing a healthcare service, such as a diagnosis or treatment. PHI is informa6on in your medical records, including conversa6ons between your doctors and nurses about your treatment. PHI also includes your billing informa6on and any medical informa6on in your health insurance company's computer system. This includes any individually iden6fiable health informa6on collected from an individual by a healthcare provider, employer or plan that includes name, social security number, phone number, medical history, current medical condi6on, test results and more. Electronic Protected Health Informa3on (EPHI) All individually iden6fiable health informa6on that is created, maintained, or transmiZed electronically.
May 29, 2014 Confiden6al -‐ Not for Distribu6on
Covered Entity (CE) Anyone who provides treatment, payment and opera6ons in healthcare. It could include a doctor’s office, dental office, clinics, psychologist, nursing home, pharmacy, hospital or home healthcare agency. This also includes health plans, health insurance companies, HMOs, company health plans and government programs that pay for health care. Health clearing houses are also considered covered en66es.
May 29, 2014 Confiden6al -‐ Not for Distribu6on
Business Associate Anyone who has access to pa6ent informa6on, whether directly, indirectly, physically or virtually. Addi6onally, any organiza6on that provides support in the treatment, payment or opera6ons is considered a business associate, i.e. an IT company or a mHealth applica6on that provides secure photo-‐sharing for physicians. Other examples include a document destruc6on company, a telephone service provider, accountant, or lawyer. The business associates also have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administra6ve, and technical safeguards. A business associate does not work under the covered en6ty’s workforce, but instead performs some type of service on their behalf.
top related