Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HxRefactored - TrueVault - Jason Wang


Published on

  • Be the first to comment

  • Be the first to like this

HxRefactored - TrueVault - Jason Wang

  1. 1. Decoding HIPAA for Developers! Jason Wang! Founder & CEO, TrueVault!
  2. 2. 1996 - HIPAA !!
  3. 3. 1996 - HIPAA!
  4. 4. 1996 – HIPAA! ! 2009 – HITECH! ! 2013 – Final Omnibus Rule Update!
  5. 5. HIPAA Acronyms! PHI – Protected Health Information! ! CE – Covered Entities! BA – Business Associates! BAA – Business Associate Agreement!
  6. 6. HIPAA   Privacy  Rule  Security  Rule   Administra6ve   Safeguards   Technical   Safeguards   Physical   Safeguards   Enforcement   Rule   Breach   No6fica6on  Rule  
  7. 7. HIPAA   Privacy  Rule  Security  Rule   Administra6ve   Safeguards   Technical   Safeguards   Physical   Safeguards   Enforcement   Rule   Breach   No6fica6on  Rule   If  you’re  a  developer  trying  to  understand  the   scope  of  the  build,  then  you  need  to  focus  on   the  Technical  and  Physical  Safeguards  spelled   out  in  the  Security  Rule;  these  two  sec6ons   comprise  the  majority  of  your  to-­‐do  list.    
  8. 8. Who Needs to be HIPAA Compliant? If you handle PHI then you need to be HIPAA compliant.! ! The HIPAA rules apply to both Covered Entities and their Business Associates! !
  9. 9. Who Certifies HIPAA Compliance? The short answer is no one.!
  10. 10. “required” vs. “addressable”! Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented.! ! It is important to remember that an addressable implementation specification is not optional. ! ! When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.! Addressable does NOT mean optional!
  11. 11. Technical Safeguards! 1.  Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.! ! 2.  Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.! 3.  Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.! ! 4.  Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.!
  12. 12. Technical Safeguards 5.  Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.! 6.  Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.! 7.  Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.! ! 8.  Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.! ! 9.  Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.!
  13. 13. Physical Safeguards 1.  Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.! 2.  Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.! 3.  Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
  14. 14. Physical Safeguards 4.  Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).! 5.  Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.! 6.  Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
  15. 15. Physical Safeguards 7.  Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.! ! 8.  Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.! ! 9.  Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.! ! 10.  Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
  16. 16. What Else? •  Emails, texts, voicemails! •  3rd party tools (MixPanel, Loggly, New Relic, etc)! •  Administrative Safeguards! •  Building a HIPAA compliant infrastructure!
  17. 17. Q&A Time! Shameless Promotions:! ! •  TrueVault is hiring Developers, DevOps Engineers in San Francisco ! •  Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book!! !
  18. 18. Thank  you!   Jason  Wang   Founder  &  CEO,  TrueVault  
  19. 19. May  29,  2014   Confiden6al  -­‐  Not  for   What is Protected Health Information (PHI)? PHI  is  any  informa6on  in  a  medical  record  that  can  be  used  to  iden6fy   an  individual,  and  that  was  created,  used,  or  disclosed  in  the  course  of   providing  a  healthcare  service,  such  as  a  diagnosis  or  treatment.     PHI  is  informa6on  in  your  medical  records,  including  conversa6ons   between  your  doctors  and  nurses  about  your  treatment.  PHI  also   includes  your  billing  informa6on  and  any  medical  informa6on  in  your   health  insurance  company's  computer  system.     This  includes  any  individually  iden6fiable  health  informa6on  collected   from  an  individual  by  a  healthcare  provider,  employer  or  plan  that   includes  name,  social  security  number,  phone  number,  medical   history,  current  medical  condi6on,  test  results  and  more.     Electronic  Protected  Health  Informa3on  (EPHI)   All  individually  iden6fiable  health  informa6on  that  is  created,   maintained,  or  transmiZed  electronically.    
  20. 20. May  29,  2014   Confiden6al  -­‐  Not  for   Covered Entity (CE) Anyone  who  provides  treatment,  payment  and  opera6ons   in  healthcare.       It  could  include  a  doctor’s  office,  dental  office,  clinics,   psychologist,  nursing  home,  pharmacy,  hospital  or  home   healthcare  agency.       This  also  includes  health  plans,  health  insurance   companies,  HMOs,  company  health  plans  and  government   programs  that  pay  for  health  care.       Health  clearing  houses  are  also  considered  covered   en66es.    
  21. 21. May  29,  2014   Confiden6al  -­‐  Not  for   Business Associate Anyone  who  has  access  to  pa6ent  informa6on,  whether  directly,  indirectly,   physically  or  virtually.       Addi6onally,  any  organiza6on  that  provides  support  in  the  treatment,   payment  or  opera6ons  is  considered  a  business  associate,  i.e.  an  IT  company   or  a  mHealth  applica6on  that  provides  secure  photo-­‐sharing  for  physicians.     Other  examples  include  a  document  destruc6on  company,  a  telephone   service  provider,  accountant,  or  lawyer.       The  business  associates  also  have  the  responsibility  to  achieve  and  maintain   HIPAA  compliance  in  terms  of  all  of  the  internal,  administra6ve,  and  technical   safeguards.       A  business  associate  does  not  work  under  the  covered  en6ty’s  workforce,  but   instead  performs  some  type  of  service  on  their  behalf.