This document provides an overview of implementing HIPAA compliance solutions on Cloud Foundry. It begins with introductions from Jim Shingler of Cardinal Health and Ralph Meira of Pivotal. It then covers topics like HIPAA history, regulations, terminology, compliance checklists, and implementing HIPAA-compliant technology on various cloud platforms like AWS, GCP, and Azure. It also discusses using blockchain to provide data lineage and integrity for protected health information. Throughout it emphasizes the general rule of assuming PHI data requires a HIPAA-safe computing environment.
1. HIPAA Solutions on Cloud
Foundry
Jim Shingler, Cardinal Health
Ralph Meira, Pivotal
2. Jim Shingler, Cardinal Health
Office of Development Transformation
Director of Software Engineering
https://www.linkedin.com/in/jimshingler
@JShingler
4. Demographics Check
Who do we have in the audience?
- Business Analysts
- Project Managers
- Developers
- Who's using Cloud Foundry?
- Who's got PHI flowing through CF?
6. HIPAA $ Impact Examples
$150K for Malware Infection
Anchorage Community Mental Health
Services (ACMHS)
$1.7M for Theft of Unencrypted Laptop
Concentra Health Services
$4.8M for Lack of Firewall
NY & Presbyterian Hospital
$400K for Phishing of PHI
Metro Community Provider Network
Fines per Violation
• Did Not Know
• Reasonable Cause
• Willful Neglect (Corrected)
• Willful Neglect (Uncorrected)
$100 - $50K
$1K - $50K
$10K - $50K
$50K
7. Quick Facts about CF @ Cardinal
- Cardinal 1.5 years and 750 App Instances + SIs
- 6 Foundations (FUSE + Enterprise IT)
- First 5 Apps were live within 1st month
- Multicloud Strategy: AWS + GCP (SandBox)
- No on-premise except for PCF Dev on LapTops
- CI/CD: Jenkins à Exploring Concourse (COJUG)
- Microservices, Spring Boot, Spring Cloud Services
- 240 devs supported by 2 platform engineers
8. Quick Facts
- Tackling Biz IT (.NET) à using PCF Windows
- VMs: 6+ weeks lead time à on-demand self-service
- Strong CIO Leadership / Support
- Cost of a S/W Bug:
- Prod ($2 ~ $5K) - UAT 50% of Prod
- Integration 50% of UAT - Dev is 50% of Integration
- IT Costs only
- PCF Production has been 100% Up since day 1.
9. DevOps Lessons Learned
- Continual empowerment of Dev Teams
- Treat Dev Environment as Production
- Speed à created a demand for DevOps
- Organizational Re-orgs à To better support PCF
- Stress Legacy Processes (no sacred processes)
- Log aggregation, Metrics, Monitoring are key
11. Risk
- Federated IDs for Business Partners
(not Cardinal IDs)
- No enterprise should be pulling s/w from Docker
Hub (we're looking to use Nexus). CI/CD internal
repo only images can be used.
- CVE on a library à allows me to close loops
because I know who's impacted.
- Easy: trust but verify vs. block & make it difficult
12. HIPAA Vocabulary and Concepts
PHI
=
Anything
that
can
be
used
to
iden5fy
an
individual
in
the
context
of
Personal
Healthcare
Informa5on
14. “Compliance”
The
use
of
the
product
meets
requirements.
Unlike
PCI
(Payment
Card
Industry),
there
is
no
one
that
can
“cer5fy”
that
an
organiza5on
is
HIPAA
compliant.
The
Office
for
Civil
Rights
(OCR)
from
the
Department
of
Health
and
Human
Services
(HHS)
is
the
federal
governing
body
that
determines
compliance.
HHS
does
not
endorse
or
recognize
the
“cer5fica5ons”
made
by
private
organiza5ons.
There
is
an
evalua5on
standard
in
the
Security
Rule
§
164.308(a)(8),
and
it
requires
you
to
perform
a
periodic
technical
and
non-‐technical
evalua5on
to
make
sure
that
your
security
policies
and
procedures
meet
the
security
requirements
outlined
in
the
rule.
HHS
doesn’t
es5pulate
whether
the
evalua5on
is
performed
internally
or
by
an
external
organiza5on.
HIPAA Certification?
15. HIPAA – Compliance Checklist
hYp://www.hipaajournal.com/hipaa-‐compliance-‐checklist/
OCR
–
Office
for
Civil
Rights
16. HIPAA - Technology
- Same tech on Prod & Non-Prod Parity
- IPSec, Disk Encryption
- File Integrity Monitoring
- ClamAV (accepting files)
- Container to Container
- Isolation Segments
- Dedicated Tenancy**
General
Rule:
Assume
you
need
a
HIPAA
safe
environment
- Availability Zones
- DR / HA
- 3 R's (Future)
- CredHub (Future)
**
h?ps://aws.amazon.com/blogs/apn/aws-‐hipaa-‐program-‐update-‐removal-‐of-‐dedicated-‐instance-‐requirement/
17. HIPAA - Guidelines
- Never put prod data in non-prod environment
- We use the prod foundation w/ partners who are not
ready… because it's all temporary, it's isolated.
- Production becomes our Temp Stage environment.
General
Rule:
Assume
you
need
a
HIPAA
safe
environment
18. HIPAA - Technology
- Even with SSL make sure your URL isn't carrying
HIPAA data (regardless of cloud or not)
- Microservices = Antifragile Apps = Higher Up
Times
- Eligible BAA Services
19. HIPAA on GCP
The Google Cloud BAA covers GCP’s entire infrastructure (all regions, all zones,
all network paths, all points of presence), and the following products:
• Google BigQuery
• Google Cloud Bigtable
• Google Cloud Data Loss Prevention API
• Google Cloud Dataflow
• Google Cloud Datalab
• Google Cloud Dataproc
• Google Cloud ML Engine
• Google Cloud Natural Language API
• Google Cloud Pub/Sub
• Google Cloud Speech API
• Google Cloud Stackdriver Logging
• Google Cloud Storage
• Google Cloud SQL for MySQL
• Google Cloud Translation API
• Google Compute Engine
• Google Container Engine
• Google Container Registry
• Google Genomics
hYps://cloud.google.com/security/compliance/hipaa/#covered-‐products
20. HIPAA on AWS
• API Gateway (excl. caching)
• Aurora [MySQL-compatible only]
• CloudFront
• Cognito
• AWS Database Migration Service
• AWS Direct Connect
• Directory Services (excl. Simple AD & AD Connector)
• DynamoDB
• Elastic Block Store (EBS)
• Elastic Compute Cloud (EC2)
• Elastic Load Balancing
• Amazon Elastic MapReduce (EMR)
hYps://aws.amazon.com/compliance/hipaa-‐eligible-‐services-‐reference/
• Glacier
• Redshift
• RDS [MySQL, Oracle, PostgreSQL]
• AWS Shield [Std & Adv]
• Simple Notification Service (SNS)
• Simple Queue Service (SQS)
• S3 [incld. S3 Transfer Acc]
• Snowball
• Virtual Private Cloud (VPC)
• Web Application Firewall (WAF)
• Amazon WorkSpaces
21. HIPAA on Azure
• API Management
• App Services (API, Logic, Mobile & Web)
• Application Gateway
• Application Insights
• Automation
• Active Directory (Free, Basic, B2C) & DNS
• Container Service
• Cosmos DB
• DevTest Labs
• Information Protection (incl. Rights Mgmt.)
• Azure Portal & Resource Manager
• Backup, Batch, Event Hubs, Scheduler
• Data Catalog & Data Factory
• Key Vault hYps://www.microso_.com/en-‐us/TrustCenter/Compliance/HIPAA
• BizTalk Services
• Cloud Services
• Data Lake Analytics
• Data Lake Store
• ExpressRoute
• Functions
• HDInsight
• Import/Export
• IoT Hub
• Load Balancer
• Log Analytics
• Machine Learning
• Media Services
• Multi-Factor Auth.
• Notification Hubs
• Power BI Embedded
• Redis Cache
• Security Center
• Service Bus & Fabric
• Site Recovery
• SQL DW & DB
• SQL Server Stretch DB
• Storage & StorSimple
• Stream Analytics
• VMs & Network
• VPN Gateway
25. Area of Investigation: Blockchain
- Data Lineage
- The challenge: imagine you needed to implement
a system that stores and manipulates PHI data. At
any time, it must be possible for anyone to
independently verify when the PHI Data entered
the system, and that it has not been modified. The
PHI Data must not be exposed publicly.
hYps://content.pivotal.io/blog/blockchain-‐use-‐cases-‐for-‐blockchain-‐on-‐cloud-‐foundry
29. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Business
Associates
Anyone
who
has
access
to
paJent
informaJon,
whether
directly,
indirectly,
physically
or
virtually.
AddiJonally,
any
organizaJon
that
provides
support
in
the
treatment,
payment
or
operaJons
is
considered
a
business
associate,
i.e.
an
IT
company
or
a
billing
and
claims
processing
company.
Other
examples
include
a
document
destrucJon
company,
a
telephone
service
provider,
accountant
or
lawyer.
The
business
associates
also
have
the
responsibility
to
achieve
and
maintain
HIPAA
compliance
in
terms
of
all
of
the
internal,
administraJve
and
technical
safeguards.
A
business
associate
does
not
work
under
the
covered
enJty’s
workforce,
but
instead
performs
some
type
of
service
on
their
behalf.
1
of
12
30. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Business
Associate
Agreement
The
agreement
standard
document
that
clearly
defines
the
roles
and
responsibiliJes
of
a
business
associate
and
the
covered
enJty.
The
other
key
piece
of
the
Business
Associates
Agreement
is
the
assurance
that
businesses
will
take
proper
steps
to
implement
the
appropriate
safeguards:
administraJve,
physical
and
technical.
Covered
EnJJes
(CE)
Anyone
who
provides
treatment,
payment
and
operaJons
in
healthcare:
a
doctor’s
office,
dental
office,
clinics,
psychologist,
nursing
home,
pharmacy,
hospital
or
home
healthcare
agency.
This
also
includes
health
plans,
health
insurance
companies,
HMOs,
company
health
plans
and
government
programs
that
pay
for
health
care.
Health
clearing
houses
are
also
considered
covered
enJJes.
2
of
12
31. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Electronic
Data
Interchange
(EDI)
The
communicaJon
or
exchange
of
business
documents
between
companies
via
computer
and
networks.
Electronic
Health
Records
(EHR)
Any
electronic
record
of
paJent
health
informaJon
generated
within
a
clinical
insJtuJon
or
environment,
such
as
a
hospital
or
doctor’s
office:
e.g.
medical
history,
laboratory
results,
immunizaJons,
demographics,
etc.
Electronic
Protected
Health
InformaJon
(EPHI)
All
individually
idenJfiable
health
informaJon
that
is
created,
maintained
or
transmi?ed
electronically.
Healthcare
Clearinghouse
An
organizaJon
that
standardizes
health
informaJon.
One
example
is
a
billing
company
that
processes
data
from
its
iniJal
format
into
a
standardized
billing
format.
3
of
12
32. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Health
InformaJon
PaJent
informaJon
collected
by
a
health
plan,
health
care
provider,
public
health
authority,
employer,
healthcare
clearinghouse
or
other
organizaJon
that
falls
under
covered
enJty.
Healthcare
Insurance
Portability
and
Accountability
Act
(HIPAA)
IniJally
created
in
1996
to
help
the
public
with
insurance
portability,
they
eventually
built
administraJve
simplificaJons
that
involved
electronic,
medical
record
technology
and
other
components.
HIPAA
ViolaJons
If
a
company
fails
to
comply
with
HIPAA
rules,
they
are
subject
to
both
civil
and
criminal
penalJes.
4
of
12
33. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
The
Health
InformaJon
Technology
for
Economic
and
Clinical
Health
(HITECH)
Act,
enacted
as
part
of
the
American
Recovery
and
Reinvestment
Act
of
2009,
was
signed
into
law
on
February
17,
2009,
to
promote
the
adopJon
and
meaningful
use
of
health
informaJon
technology.
The
act
included
incenJves
offered
to
physicians
in
private
pracJces,
as
well
as
insJtuJonal
pracJces
to
implement
and
adopt
electronic
medical
records.
In
addiJon
to
incenJves,
the
act
included
a
series
of
fines
to
help
enforce
HIPAA
rules.
HITECH
also
mandated
that
business
associates
of
covered
enJJes,
as
well
as
the
covered
enJJes
themselves,
were
responsible
for
the
same
level
of
HIPAA
compliance.
5
of
12
34. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
HIPAA
Audit
is
comprised
of
regulaJons,
standards
and
implementaJon
specificaJons.
The
audit
is
an
analysis
that
helps
pinpoint
the
organizaJon’s
current
state
and
what
steps
need
to
be
taken
to
get
the
organizaJon
compliant.
An
evaluaJon
is
part
of
the
audit
-‐
a
company
must
perform
an
evaluaJon
and
undergo
periodic
evaluaJons,
at
a
minimum,
once
a
year.
As
technology
changes,
different
components
are
added
to
an
organizaJon’s
infrastructure
and
they
should
be
re-‐
evaluated.
While
covered
enJJes
need
to
undergo
HIPAA
audits,
third-‐party
business
associates
also
need
to
comply.
This
includes
any
company
that
might
provide
services
for
a
covered
enJty,
for
example,
an
applicaJon
hosted
in
a
cloud
and
provided
to
a
covered
enJty.
6
of
12
35. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Civil
PenalJes
established
by
the
American
Recovery
and
Reinvestment
Act
of
2009
(ARRA),
are
a
Jered
civil
penalty
structure
used
to
determine
the
cause
and
consequences
of
the
HIPAA
breaches.
The
Secretary
of
the
Department
of
Health
and
Human
Services
has
the
ability
to
ulJmately
determine
fines
and
penalJes
due
to
the
extent
of
the
violaJon
on
a
case-‐by-‐case
basis.
Due
Diligence
An
organizaJon
is
in
violaJon,
but
they
have
taken
every
possible
step
they
could
have
foreseen
to
prevent
that.
Minimum
fine:
$100
per
incident
with
annual
maximum
of
$25,000
for
repeat
violaJons
Maximum
fine:
$50,000
per
violaJon
with
annual
maximum
of
$1.5
million
for
repeat
violaJons
7
of
12
36. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Reasonable
Cause
The
steps
have
been
taken,
but
something
was
not
addressed.
For
example,
a
company
went
into
a
HIPAA
audit
and
provided
a
gap
analysis,
but
something
wasn’t
addressed
yet.
The
violaJon
is
due
to
reasonable
cause
and
not
willful
neglect.
Minimum
fine:
$1,000
per
incident
with
annual
maximum
of
$100,000
for
repeat
violaJons
Maximum
fine:
$50,000
per
incident
with
annual
maximum
of
$1.5
million
for
repeat
violaJons
8
of
12
37. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Willful
Neglect
-‐
There
are
two
types
of
willful
neglect:
(1)
A
company
clearly
ignores
the
HIPAA
law
but
corrects
their
mistake
within
the
given
amount
of
Jme.
Minimum
fine:
$10,000
per
incident
with
annual
maximum
of
$1.5
million
for
repeat
violaJons
Maximum
fine:
$50,000
per
violaJon
with
annual
maximum
of
$1.5
million
for
repeat
violaJons
(2)
A
company
ignores
the
HIPAA
law
and
does
not
correct
their
mistake.
Minimum
fine:
$50,000
per
incident
with
annual
maximum
of
$250,000
for
repeat
violaJons
Maximum
fine:
$50,000
per
incident
with
annual
maximum
of
$250,000
for
repeat
violaJons
9
of
12
38. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Criminal
PenalJes
-‐
The
U.S.
Department
of
JusJce
establishes
who
can
be
held
liable
for
HIPAA
violaJons
due
to
criminal
acJvity.
This
includes
covered
enJJes
and
any
specified
individual
working
under
a
covered
enJty.
Anyone
who
knowingly
misuses
health
informaJon
can
be
fined
up
to
$50,000
including
up
to
a
year
of
imprisonment.
More
serious
offenses
call
for
higher
fines
and
prison
Jme.
Individually
IdenJfiable
Health
InformaJon
A
subset
of
health
informaJon.
It
includes
demographic
informaJon
about
an
individual’s
health
that
idenJfies
or
can
be
used
to
idenJfy
the
individual:
e.g.
name,
address,
date
of
birth,
etc.
10
of
12
39. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
OCR
HIPAA
Audit
Protocol
Before
2012
there
was
no
federal
standard
for
third-‐
party
auditors
to
conduct
a
HIPAA
audit.
With
the
publicaJon
of
the
new
Office
for
Civil
Rights
(OCR)
audit
protocol,
auditors
are
able
to
gain
a
more
consistent
direcJon
on
how
the
OCR
will
conduct
HIPAA
audits
in
the
future.
The
protocol
covers
requirements
found
in
the
HIPAA
Security
Rule,
Privacy
Rule
and
Breach
NoJficaJon
Rule.
Privacy
Rule
The
part
of
the
HIPAA
rule
that
addresses
the
saving,
accessing
and
sharing
of
medical
and
personal
informaJon
of
an
individual,
including
a
paJent’s
own
right
to
access.
11
of
12
40. HIPAA
Terminology
Business
Associates
Business
Associate
Agreement
Covered
EnJJes
(CE)
Electronic
Data
Interchange
(EDI)
Electronic
Health
Records
(EHR)
Electronic
Protected
Health
InformaJon
(EPHI)
Healthcare
Clearinghouse
Health
InformaJon
HIPAA
HITECH
HIPAA
Audit
HIPAA
ViolaJons
Civil
PenalJes
Due
Diligence
Reasonable
Cause
Willful
Neglect
Criminal
PenalJes
Individually
IdenJfiable
Health
InformaJon
OCR
HIPAA
Audit
Protocol
Privacy
Rule
Protected
Health
InformaJon
(PHI)
Security
Rule
Protected
Health
InformaJon
(PHI)
includes
any
individually
idenJfiable
health
informaJon
collected
from
an
individual
by
a
healthcare
provider,
employer
or
plan
that
includes
name,
social
security
number,
phone
number,
medical
history,
current
medical
condiJon,
test
results
and
more.
Security
Rule
The
part
of
the
HIPAA
rule
that
outlines
naJonal
security
standards
intended
to
protect
health
data
created,
received,
maintained
or
transmi?ed
electronically.
12
of
12