SlideShare a Scribd company logo

HIPAA Compliance for Developers

TrueVault
TrueVault

Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.

HealthcareTechnologyBusiness
1 of 37
Download to read offline
HIPAA Compliance for Developers Breaking down the regulatory issues around building digital health apps for fun and profit. HIPAA compliant database-as-a-service
HIPAA Compliance is a 
 Brutal Time Suck! ! “[Building our own HIPAA compliant infrastructure] took upwards of 1,000 person-hours to figure out HIPAA-compliance issues. This will continue to be an ongoing cost for us, because HIPAA is an ongoing law and it changes sometimes. It takes substantial auditing time and money. TrueVault would save us all that.” 
 Posted on Hacker News by jph
 (Unsolicited comment. Not a customer.) HIPAA compliant database-as-a-service
First off, What is HIPAA? Health Insurance Portability and Accountability Act • HIPAA sets the standard for protecting sensitive patient data. • Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI). • Developed in 1996. HIPAA was initially created to help the public with insurance portability. In addition, they built a series of privacy tools to protect healthcare data. HIPAA compliant database-as-a-service
What Does HIPAA Require? 1.Put safeguards in place to protect patient health information. 2.Reasonably limit use and sharing to the minimum necessary to accomplish your intended purpose. 3.Have agreements in place with service providers that perform covered functions. These agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly. 4.Procedures to limit who can access patient health information, and training programs about how to protect patient health information. HIPAA compliant database-as-a-service
The Four Rules of HIPAA Like the four horsemen, these are the major pieces that govern what you do and how you do it. 1.HIPAA Privacy Rule 2.HIPAA Security Rule 3.HIPAA Enforcement Rule 4.HIPAA Breach Notification Rule
 HIPAA compliant database-as-a-service Developers need to focus on the Technical and Physical safeguards outlined in the Security Rule.
The Privacy Rule HIPAA compliant database-as-a-service Addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access.
The Security Rule HIPAA compliant database-as-a-service Outlines national security standards intended to protect health data created, received, maintained, or transmitted electronically.
The Security Rule HIPAA compliant database-as-a-service September 23, 2013 Before Sept 23. Rules applied to hospitals, doctors, clinics, etc. After Sept 23. The rules now apply to anyone that touches PHI.
 
 (e.g. an IT company or a mHealth application that provides secure photo- sharing for physicians). Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
HIPAA compliant database-as-a-service “Do I need to be HIPAA compliant?”
HIPAA compliant database-as-a-service “Do I need to be HIPAA compliant?” If you handle PHI then you need to be HIPAA compliant. The HIPAA rules apply to both Covered Entities and their Business Associates
What is Protected Health Information (PHI)? • PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service. • Includes: • Medical records • Billing information • Health insurance information • Any individually identifiable health information HIPAA compliant database-as-a-service
Electronic Protected Health Information (EPHI) HIPAA compliant database-as-a-service All individually identifiable health information that is created, maintained, or transmitted electronically.
Covered Entity (CE) HIPAA compliant database-as-a-service • Anyone who provides treatment, payment and operations in healthcare. • Includes: • Doctor’s office, dental offices, clinics, psychologists, • Nursing home, pharmacy, hospital or home healthcare agency • Health plans, insurance companies, HMOs • Government programs that pay for healthcare • Health clearing houses
Business Associate (BA) HIPAA compliant database-as-a-service • Anyone who has access to patient information, whether directly, indirectly, physically or virtually. • Any organization that provides support in the treatment, payment or operations • Includes: • IT providers, health applications • Telephone service provider, document management and destruction • Accountant, lawyer or other service provider Business associates have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative, and technical safeguards.
Exceptions HIPAA compliant database-as-a-service • Entities providing data transmission services, including services that involve temporary storage of PHI that is incident to the transmission (e.g. courier services and their electronic equivalents, such as ISPs or telecoms). While entities that are “mere conduits” for PHI are not Business Associates, the rules emphasize that this exception is narrow.
HIPAA compliant database-as-a-service “Who certifies HIPAA compliance?”
HIPAA compliant database-as-a-service “Who certifies HIPAA compliance?” The short answer is no one.
Who certifies HIPAA compliance? • Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. • The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body. HHS does not endorse or recognize the “certifications” made by private organizations. • The evaluation standard in the Security Rule § 164.308(a)(8) requires you to perform a periodic technical and non-technical evaluation to make sure your security policies and procedures meet security requirements. • But, HHS doesn’t care if the evaluation is performed internally or by an external organization. HIPAA compliant database-as-a-service
Penalties & Fines • Violations are expensive, to put it mildly. HIPAA compliant database-as-a-service
HIPAA compliant database-as-a-service “How do I become HIPAA compliant?”
HIPAA compliant database-as-a-service “How do I become HIPAA compliant?” The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
3 Parts to the Security Rule 1.Administrative Safeguards 2.Technical Safeguards 3.Physical Safeguards HIPAA compliant database-as-a-service
“required” vs. “addressable” • Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. • Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. • It is important to remember that an addressable implementation specification is not optional. HIPAA compliant database-as-a-service When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.
Administrative Safeguards The administrative components are really important when implementing a HIPAA compliance program; you are required to: 1.Assign a privacy officer 2.Complete a risk assessment annually 3.Implement employee training 4.Review policies and procedures 5.Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI) HIPAA compliant database-as-a-service
Administrative Safeguards Companies who can help with the administrative components of a compliance program: • Accountable -- http://accountablehq.com • Compliance Helper -- http://www.compliancehelper.com • Compliancy Group -- http://compliancy-group.com HIPAA compliant database-as-a-service
Technical Safeguards 1.Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity. 2.Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. 3.Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. 4.Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI. HIPAA compliant database-as-a-service
Technical Safeguards 5.Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. 6.Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. 7.Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. 8.Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. 9.Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate. HIPAA compliant database-as-a-service
Physical Safeguards 1.Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. 2.Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. 3.Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. 4.Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks). 5.Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. HIPAA compliant database-as-a-service HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.
Physical Safeguards 6.Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. 7.Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. 8.Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. 9.Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore. 10.Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment. HIPAA compliant database-as-a-service
TrueVault Handles All Technical Requirements HIPAA compliant database-as-a-service Administrative Safeguards Technical Safeguards Encryption and Decryption, Key Management, Key Rotation, Access Control, Unique User Identification, Emergency Access, Automatic Logoff, Audit Controls, Mechanism to Authenticate Electronic PHI, Person or Entity Authentication, Transmission Security, Integrity Controls Physical Safeguards Facility Access Ctrl, Workstation Use and Security, Devices and Media Controls HIPAA Compliant Hosting TrueVault • TrueVault handles both Technical and Physical Safeguards. ! • Develop a healthcare application without building a HIPAA compliant infrastructure. ! • FireHost and AWS have high minimum charges ($1,115 and $1,500) and offer no help with the Technical Safeguards.
How Does TrueVault Fit In? HIPAA compliant database-as-a-service ! • Developers access TrueVault via a RESTful API and native clients. ! • Typical integration takes days. TrueVault works just like any other API services. ! • TrueVault provides all client- side and server-side functionalities required by HIPAA. Customer)Backend)Web) Services)) Standard)Database) TrueVault) (HIPAA)Compliant)) non@PHI)Data) PHI)Data) (REST)API))
TrueVault Features HIPAA compliant database-as-a-service JSON Store The TrueVault JSON Store is a lightweight, document-oriented storage system, and enables persistent HIPAA compliant storage of JSON documents. BLOB Store The TrueVault BLOB (binary large object) Store offers HIPAA compliant binary storage for any file format. This includes DICOM files (e.g. X-Rays, CT Scans, MRIs), PDFs, scanned medical records, images, and videos. Encrypted Search Search encrypted data stored in TrueVault. Query (GET) documents by any field, not just the documentId.
TrueVault Features HIPAA compliant database-as-a-service Browser-to-TrueVault Upload Browser-to-TrueVault direct file upload and download web form. You can upload binary files directly to TrueVault’s BLOB Store using HTML forms. User Management and Authentication User Management console. You can create and manage users, groups, and permissions via TrueVault so that PHI never touches your stack. TrueVault provides identity and access management, plus 2-factor authentication out of the box. Use our identity API for custom access flows or add Sign-In, Sign-Up, and My Account pages in seconds with our JavaScript user controls. Encryption and Decryption TrueVault encrypts all at-rest data with AES-256 and stores keys securely. Our infrastructure for healthcare data storage and transmission runs in a separate hosting environment inaccessible by our primary services.
TrueVault Features HIPAA compliant database-as-a-service Audit Control Every user action and API call is automatically recorded for compliance. An audit log can be searched and retrieved via our API. Automatic Logoff Configure the automatic user session timeout window via our API or the Management Console. Emergency Access Easily add an Emergency Access Request page to your app with a CNAME record. We’ll handle the authentication flow for you, and track activities for compliance. Single-user credentials can also be created via the API for custom emergency workflows.
TrueVault Features HIPAA compliant database-as-a-service Proactive Monitoring TrueVault’s proprietary anomaly-based detection algorithm will alert you, or your customer, when abnormal user activity is detected. At-Rest Data Integrity A checksum is computed for every at-rest record, and the integrity of the data is continuously checked. Integrity Control and Encryption TrueVault regularly audits the details of our implementation: the certificates we serve, our certificate authorities, and our ciphers. We ensure that browsers and API clients interact with TrueVault over HTTPS only.
HIPAA compliant database-as-a-service "Becoming HIPAA compliant as an early stage organization was a daunting task, until we found TrueVault! Their turn-key API has allowed us to check this box and get back to focusing on our core product and offering." Edith Elliott
 CEO Noora Health
Try TrueVault for Free HIPAA compliant database-as-a-service $0.001 / API call / monthFree for Development • No credit card required. • No time limit on the free trial period. • Unlimited API calls and storage. • But, no BAA and no insurance. API Calls Monthly Cost 
0 -100,000 $100 101,000 $101 250,000 $250 1,000,000 $1,000 • Unlimited JSON documents • Unlimited BLOB objects • Business Associated Agreement • Privacy/Data Breach Insurance • Service Level Agreement Get Started

Recommended

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
TrueVault
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
Winston & Strawn LLP
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
National Pharmacy Technician Association
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 

Recommended

Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
TrueVault
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
Winston & Strawn LLP
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
National Pharmacy Technician Association
 
Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)Sylvia hipaa powerpoint presentation 2010(2)
Sylvia hipaa powerpoint presentation 2010(2)bholmes
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
Prince George
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
Security & Privacy for Health Data
Security & Privacy for Health DataSecurity & Privacy for Health Data
Security & Privacy for Health DataNawanan Theera-Ampornpunt
 
The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)John Wang
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
Manny Oliverez
 
Health Information Exchange (HIE)
Health Information Exchange (HIE)Health Information Exchange (HIE)
Health Information Exchange (HIE)
Greenway Health
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
CBIZ, Inc.
 
Healthcare Information Systems - Past, Present, and Future
Healthcare Information Systems - Past, Present, and FutureHealthcare Information Systems - Past, Present, and Future
Healthcare Information Systems - Past, Present, and FutureHealth Catalyst
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
HL7 Standards
HL7 StandardsHL7 Standards
HL7 Standards
Nawanan Theera-Ampornpunt
 
Health Level 7
Health Level 7Health Level 7
Health Level 7
Eve Rizza Katalbas
 
HIPAA
HIPAAHIPAA
HIPAA
Alanoud Alqoufi
 
Healthcare information technology
Healthcare information technologyHealthcare information technology
Healthcare information technologyDr.Vijay Talla
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
Sanjeev Bharwan
 
5 Reasons Why Healthcare Data is Unique and Difficult to Measure
5 Reasons Why Healthcare Data is Unique and Difficult to Measure5 Reasons Why Healthcare Data is Unique and Difficult to Measure
5 Reasons Why Healthcare Data is Unique and Difficult to Measure
Health Catalyst
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
Shred-it
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
hipaacompliance
 
Hospital Information Systems & Electronic Health Records
Hospital Information Systems & Electronic Health RecordsHospital Information Systems & Electronic Health Records
Hospital Information Systems & Electronic Health Records
Nawanan Theera-Ampornpunt
 
EHR Implementation PPT.pptx
EHR Implementation PPT.pptxEHR Implementation PPT.pptx
EHR Implementation PPT.pptx
Deborah Olabisi
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
Nawanan Theera-Ampornpunt
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
FarhatParveen10
 
Hipaa
HipaaHipaa
HipaaJason Wrench
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored
 

More Related Content

What's hot

The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)John Wang
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
Manny Oliverez
 
Health Information Exchange (HIE)
Health Information Exchange (HIE)Health Information Exchange (HIE)
Health Information Exchange (HIE)
Greenway Health
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
CBIZ, Inc.
 
Healthcare Information Systems - Past, Present, and Future
Healthcare Information Systems - Past, Present, and FutureHealthcare Information Systems - Past, Present, and Future
Healthcare Information Systems - Past, Present, and FutureHealth Catalyst
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
mariaradziminski
 
HL7 Standards
HL7 StandardsHL7 Standards
HL7 Standards
Nawanan Theera-Ampornpunt
 
Health Level 7
Health Level 7Health Level 7
Health Level 7
Eve Rizza Katalbas
 
HIPAA
HIPAAHIPAA
HIPAA
Alanoud Alqoufi
 
Healthcare information technology
Healthcare information technologyHealthcare information technology
Healthcare information technologyDr.Vijay Talla
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
Sanjeev Bharwan
 
5 Reasons Why Healthcare Data is Unique and Difficult to Measure
5 Reasons Why Healthcare Data is Unique and Difficult to Measure5 Reasons Why Healthcare Data is Unique and Difficult to Measure
5 Reasons Why Healthcare Data is Unique and Difficult to Measure
Health Catalyst
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
Shred-it
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
hipaacompliance
 
Hospital Information Systems & Electronic Health Records
Hospital Information Systems & Electronic Health RecordsHospital Information Systems & Electronic Health Records
Hospital Information Systems & Electronic Health Records
Nawanan Theera-Ampornpunt
 
EHR Implementation PPT.pptx
EHR Implementation PPT.pptxEHR Implementation PPT.pptx
EHR Implementation PPT.pptx
Deborah Olabisi
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
Nawanan Theera-Ampornpunt
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
FarhatParveen10
 

What's hot (20)

Security & Privacy for Health Data
Security & Privacy for Health DataSecurity & Privacy for Health Data
Security & Privacy for Health Data
 
The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)The Role of Content Management in Electronic Health Records (EMR)
The Role of Content Management in Electronic Health Records (EMR)
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
Health Information Exchange (HIE)
Health Information Exchange (HIE)Health Information Exchange (HIE)
Health Information Exchange (HIE)
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
Healthcare Information Systems - Past, Present, and Future
Healthcare Information Systems - Past, Present, and FutureHealthcare Information Systems - Past, Present, and Future
Healthcare Information Systems - Past, Present, and Future
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
 
HL7 Standards
HL7 StandardsHL7 Standards
HL7 Standards
 
Health Level 7
Health Level 7Health Level 7
Health Level 7
 
HIPAA
HIPAAHIPAA
HIPAA
 
Healthcare information technology
Healthcare information technologyHealthcare information technology
Healthcare information technology
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
 
5 Reasons Why Healthcare Data is Unique and Difficult to Measure
5 Reasons Why Healthcare Data is Unique and Difficult to Measure5 Reasons Why Healthcare Data is Unique and Difficult to Measure
5 Reasons Why Healthcare Data is Unique and Difficult to Measure
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
 
Hospital Information Systems & Electronic Health Records
Hospital Information Systems & Electronic Health RecordsHospital Information Systems & Electronic Health Records
Hospital Information Systems & Electronic Health Records
 
EHR Implementation PPT.pptx
EHR Implementation PPT.pptxEHR Implementation PPT.pptx
EHR Implementation PPT.pptx
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
Hipaa
HipaaHipaa
Hipaa
 

Similar to HIPAA Compliance for Developers

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
 
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored
 
An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdf
SeasiaInfotech2
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
LaDavia Day, MHA, BS
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rule
complianceonline123
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
Nisos Health
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
CMDLMS
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
VistaInfosec
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
Jose Ivan Delgado, Ph.D.
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
arjunenterprises1978
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Kimberly Simon MBA
 
HIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdfHIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdf
Zoe Gilbert
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
Kimberly Simon MBA
 
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
Ajeet Singh
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 
Importance of HIPAA Compliance for Small Healthcare Clinics.pptx
Importance of HIPAA Compliance for Small Healthcare Clinics.pptxImportance of HIPAA Compliance for Small Healthcare Clinics.pptx
Importance of HIPAA Compliance for Small Healthcare Clinics.pptx
IT in DFW
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
OnRamp
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
Iatric Systems
 

Similar to HIPAA Compliance for Developers (20)

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason Wang
 
An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdf
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
 
Complying with HIPAA Security Rule
Complying with HIPAA Security RuleComplying with HIPAA Security Rule
Complying with HIPAA Security Rule
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
Explain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdfExplain the security implications of HIPPA requirements for hospital.pdf
Explain the security implications of HIPPA requirements for hospital.pdf
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdfHIPAA Compliance Testing In Software Applications.pdf
HIPAA Compliance Testing In Software Applications.pdf
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
Importance of HIPAA Compliance for Small Healthcare Clinics.pptx
Importance of HIPAA Compliance for Small Healthcare Clinics.pptxImportance of HIPAA Compliance for Small Healthcare Clinics.pptx
Importance of HIPAA Compliance for Small Healthcare Clinics.pptx
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 

Recently uploaded

Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤
Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤
Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤
aunty1x2
 
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
ranishasharma67
 
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.pptNursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
Rommel Luis III Israel
 
Demystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdf
Demystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdfDemystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdf
Demystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdf
SasikiranMarri
 
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
rajkumar669520
 
Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...
Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...
Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...
Dr. David Greene Arizona
 
The Docs PPG - 30.05.2024.pptx..........
The Docs PPG - 30.05.2024.pptx..........The Docs PPG - 30.05.2024.pptx..........
The Docs PPG - 30.05.2024.pptx..........
TheDocs
 
Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤
Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤
Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤
ranishasharma67
 
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdfCHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf
Sachin Sharma
 
Immunity to Veterinary parasitic infections power point presentation
Immunity to Veterinary parasitic infections power point presentationImmunity to Veterinary parasitic infections power point presentation
Immunity to Veterinary parasitic infections power point presentation
BeshedaWedajo
 
ABDOMINAL COMPARTMENT SYSNDROME
ABDOMINAL COMPARTMENT SYSNDROMEABDOMINAL COMPARTMENT SYSNDROME
ABDOMINAL COMPARTMENT SYSNDROME
Rommel Luis III Israel
 
Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...
Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...
Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...
aunty1x2
 
What Are Homeopathic Treatments for Migraines.pdf
What Are Homeopathic Treatments for Migraines.pdfWhat Are Homeopathic Treatments for Migraines.pdf
What Are Homeopathic Treatments for Migraines.pdf
Dharma Homoeopathy
 
GENERAL PHARMACOLOGY - INTRODUCTION DENTAL.ppt
GENERAL PHARMACOLOGY - INTRODUCTION DENTAL.pptGENERAL PHARMACOLOGY - INTRODUCTION DENTAL.ppt
GENERAL PHARMACOLOGY - INTRODUCTION DENTAL.ppt
Mangaiarkkarasi
 
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
Kumar Satyam
 
Antibiotic Stewardship by Anushri Srivastava.pptx
Antibiotic Stewardship by Anushri Srivastava.pptxAntibiotic Stewardship by Anushri Srivastava.pptx
Antibiotic Stewardship by Anushri Srivastava.pptx
AnushriSrivastav
 
A Community health , health for prisoners
A Community health , health for prisonersA Community health , health for prisoners
A Community health , health for prisoners
Ahmed Elmi
 
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptxBOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
AnushriSrivastav
 
VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...
VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...
VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...
Nguyễn Thị Vân Anh
 
Navigating Healthcare with Telemedicine
Navigating Healthcare with TelemedicineNavigating Healthcare with Telemedicine
Navigating Healthcare with Telemedicine
Iris Thiele Isip-Tan
 

Recently uploaded (20)

Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤
Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤
Dehradun ❤CALL Girls 8901183002 ❤ℂall Girls IN Dehradun ESCORT SERVICE❤
 
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
GURGAON Call Girls ❤8901183002❤ #ℂALL# #gIRLS# In GURGAON ₹,2500 Cash Payment...
 
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.pptNursing Care of Client With Acute And Chronic Renal Failure.ppt
Nursing Care of Client With Acute And Chronic Renal Failure.ppt
 
Demystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdf
Demystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdfDemystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdf
Demystifying-Gene-Editing-The-Promise-and-Peril-of-CRISPR.pdf
 
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
VVIP Dehradun Girls 9719300533 Heat-bake { Dehradun } Genteel ℂall Serviℂe By...
 
Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...
Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...
Leading the Way in Nephrology: Dr. David Greene's Work with Stem Cells for Ki...
 
The Docs PPG - 30.05.2024.pptx..........
The Docs PPG - 30.05.2024.pptx..........The Docs PPG - 30.05.2024.pptx..........
The Docs PPG - 30.05.2024.pptx..........
 
Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤
Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤
Haridwar ❤CALL Girls 🔝 89011★83002 🔝 ❤ℂall Girls IN Haridwar ESCORT SERVICE❤
 
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdfCHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf
CHAPTER 1 SEMESTER V PREVENTIVE-PEDIATRICS.pdf
 
Immunity to Veterinary parasitic infections power point presentation
Immunity to Veterinary parasitic infections power point presentationImmunity to Veterinary parasitic infections power point presentation
Immunity to Veterinary parasitic infections power point presentation
 
ABDOMINAL COMPARTMENT SYSNDROME
ABDOMINAL COMPARTMENT SYSNDROMEABDOMINAL COMPARTMENT SYSNDROME
ABDOMINAL COMPARTMENT SYSNDROME
 
Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...
Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...
Contact Now 89011**83002 Dehradun ℂall Girls By Full Service ℂall Girl In De...
 
What Are Homeopathic Treatments for Migraines.pdf
What Are Homeopathic Treatments for Migraines.pdfWhat Are Homeopathic Treatments for Migraines.pdf
What Are Homeopathic Treatments for Migraines.pdf
 
GENERAL PHARMACOLOGY - INTRODUCTION DENTAL.ppt
GENERAL PHARMACOLOGY - INTRODUCTION DENTAL.pptGENERAL PHARMACOLOGY - INTRODUCTION DENTAL.ppt
GENERAL PHARMACOLOGY - INTRODUCTION DENTAL.ppt
 
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
India Clinical Trials Market: Industry Size and Growth Trends [2030] Analyzed...
 
Antibiotic Stewardship by Anushri Srivastava.pptx
Antibiotic Stewardship by Anushri Srivastava.pptxAntibiotic Stewardship by Anushri Srivastava.pptx
Antibiotic Stewardship by Anushri Srivastava.pptx
 
A Community health , health for prisoners
A Community health , health for prisonersA Community health , health for prisoners
A Community health , health for prisoners
 
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptxBOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
BOWEL ELIMINATION BY ANUSHRI SRIVASTAVA.pptx
 
VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...
VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...
VERIFICATION AND VALIDATION TOOLKIT Determining Performance Characteristics o...
 
Navigating Healthcare with Telemedicine
Navigating Healthcare with TelemedicineNavigating Healthcare with Telemedicine
Navigating Healthcare with Telemedicine
 

HIPAA Compliance for Developers

  • 1. HIPAA Compliance for Developers Breaking down the regulatory issues around building digital health apps for fun and profit. HIPAA compliant database-as-a-service
  • 2. HIPAA Compliance is a 
 Brutal Time Suck! ! “[Building our own HIPAA compliant infrastructure] took upwards of 1,000 person-hours to figure out HIPAA-compliance issues. This will continue to be an ongoing cost for us, because HIPAA is an ongoing law and it changes sometimes. It takes substantial auditing time and money. TrueVault would save us all that.” 
 Posted on Hacker News by jph
 (Unsolicited comment. Not a customer.) HIPAA compliant database-as-a-service
  • 3. First off, What is HIPAA? Health Insurance Portability and Accountability Act • HIPAA sets the standard for protecting sensitive patient data. • Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI). • Developed in 1996. HIPAA was initially created to help the public with insurance portability. In addition, they built a series of privacy tools to protect healthcare data. HIPAA compliant database-as-a-service
  • 4. What Does HIPAA Require? 1.Put safeguards in place to protect patient health information. 2.Reasonably limit use and sharing to the minimum necessary to accomplish your intended purpose. 3.Have agreements in place with service providers that perform covered functions. These agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly. 4.Procedures to limit who can access patient health information, and training programs about how to protect patient health information. HIPAA compliant database-as-a-service
  • 5. The Four Rules of HIPAA Like the four horsemen, these are the major pieces that govern what you do and how you do it. 1.HIPAA Privacy Rule 2.HIPAA Security Rule 3.HIPAA Enforcement Rule 4.HIPAA Breach Notification Rule
 HIPAA compliant database-as-a-service Developers need to focus on the Technical and Physical safeguards outlined in the Security Rule.
  • 6. The Privacy Rule HIPAA compliant database-as-a-service Addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access.
  • 7. The Security Rule HIPAA compliant database-as-a-service Outlines national security standards intended to protect health data created, received, maintained, or transmitted electronically.
  • 8. The Security Rule HIPAA compliant database-as-a-service September 23, 2013 Before Sept 23. Rules applied to hospitals, doctors, clinics, etc. After Sept 23. The rules now apply to anyone that touches PHI.
 
 (e.g. an IT company or a mHealth application that provides secure photo- sharing for physicians). Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
  • 9. HIPAA compliant database-as-a-service “Do I need to be HIPAA compliant?”
  • 10. HIPAA compliant database-as-a-service “Do I need to be HIPAA compliant?” If you handle PHI then you need to be HIPAA compliant. The HIPAA rules apply to both Covered Entities and their Business Associates
  • 11. What is Protected Health Information (PHI)? • PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service. • Includes: • Medical records • Billing information • Health insurance information • Any individually identifiable health information HIPAA compliant database-as-a-service
  • 12. Electronic Protected Health Information (EPHI) HIPAA compliant database-as-a-service All individually identifiable health information that is created, maintained, or transmitted electronically.
  • 13. Covered Entity (CE) HIPAA compliant database-as-a-service • Anyone who provides treatment, payment and operations in healthcare. • Includes: • Doctor’s office, dental offices, clinics, psychologists, • Nursing home, pharmacy, hospital or home healthcare agency • Health plans, insurance companies, HMOs • Government programs that pay for healthcare • Health clearing houses
  • 14. Business Associate (BA) HIPAA compliant database-as-a-service • Anyone who has access to patient information, whether directly, indirectly, physically or virtually. • Any organization that provides support in the treatment, payment or operations • Includes: • IT providers, health applications • Telephone service provider, document management and destruction • Accountant, lawyer or other service provider Business associates have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative, and technical safeguards.
  • 15. Exceptions HIPAA compliant database-as-a-service • Entities providing data transmission services, including services that involve temporary storage of PHI that is incident to the transmission (e.g. courier services and their electronic equivalents, such as ISPs or telecoms). While entities that are “mere conduits” for PHI are not Business Associates, the rules emphasize that this exception is narrow.
  • 16. HIPAA compliant database-as-a-service “Who certifies HIPAA compliance?”
  • 17. HIPAA compliant database-as-a-service “Who certifies HIPAA compliance?” The short answer is no one.
  • 18. Who certifies HIPAA compliance? • Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. • The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body. HHS does not endorse or recognize the “certifications” made by private organizations. • The evaluation standard in the Security Rule § 164.308(a)(8) requires you to perform a periodic technical and non-technical evaluation to make sure your security policies and procedures meet security requirements. • But, HHS doesn’t care if the evaluation is performed internally or by an external organization. HIPAA compliant database-as-a-service
  • 19. Penalties & Fines • Violations are expensive, to put it mildly. HIPAA compliant database-as-a-service
  • 20. HIPAA compliant database-as-a-service “How do I become HIPAA compliant?”
  • 21. HIPAA compliant database-as-a-service “How do I become HIPAA compliant?” The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
  • 22. 3 Parts to the Security Rule 1.Administrative Safeguards 2.Technical Safeguards 3.Physical Safeguards HIPAA compliant database-as-a-service
  • 23. “required” vs. “addressable” • Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. • Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. • It is important to remember that an addressable implementation specification is not optional. HIPAA compliant database-as-a-service When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.
  • 24. Administrative Safeguards The administrative components are really important when implementing a HIPAA compliance program; you are required to: 1.Assign a privacy officer 2.Complete a risk assessment annually 3.Implement employee training 4.Review policies and procedures 5.Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI) HIPAA compliant database-as-a-service
  • 25. Administrative Safeguards Companies who can help with the administrative components of a compliance program: • Accountable -- http://accountablehq.com • Compliance Helper -- http://www.compliancehelper.com • Compliancy Group -- http://compliancy-group.com HIPAA compliant database-as-a-service
  • 26. Technical Safeguards 1.Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity. 2.Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. 3.Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. 4.Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI. HIPAA compliant database-as-a-service
  • 27. Technical Safeguards 5.Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. 6.Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. 7.Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. 8.Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. 9.Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate. HIPAA compliant database-as-a-service
  • 28. Physical Safeguards 1.Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. 2.Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. 3.Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. 4.Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks). 5.Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. HIPAA compliant database-as-a-service HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.
  • 29. Physical Safeguards 6.Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. 7.Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. 8.Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. 9.Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore. 10.Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment. HIPAA compliant database-as-a-service
  • 30. TrueVault Handles All Technical Requirements HIPAA compliant database-as-a-service Administrative Safeguards Technical Safeguards Encryption and Decryption, Key Management, Key Rotation, Access Control, Unique User Identification, Emergency Access, Automatic Logoff, Audit Controls, Mechanism to Authenticate Electronic PHI, Person or Entity Authentication, Transmission Security, Integrity Controls Physical Safeguards Facility Access Ctrl, Workstation Use and Security, Devices and Media Controls HIPAA Compliant Hosting TrueVault • TrueVault handles both Technical and Physical Safeguards. ! • Develop a healthcare application without building a HIPAA compliant infrastructure. ! • FireHost and AWS have high minimum charges ($1,115 and $1,500) and offer no help with the Technical Safeguards.
  • 31. How Does TrueVault Fit In? HIPAA compliant database-as-a-service ! • Developers access TrueVault via a RESTful API and native clients. ! • Typical integration takes days. TrueVault works just like any other API services. ! • TrueVault provides all client- side and server-side functionalities required by HIPAA. Customer)Backend)Web) Services)) Standard)Database) TrueVault) (HIPAA)Compliant)) non@PHI)Data) PHI)Data) (REST)API))
  • 32. TrueVault Features HIPAA compliant database-as-a-service JSON Store The TrueVault JSON Store is a lightweight, document-oriented storage system, and enables persistent HIPAA compliant storage of JSON documents. BLOB Store The TrueVault BLOB (binary large object) Store offers HIPAA compliant binary storage for any file format. This includes DICOM files (e.g. X-Rays, CT Scans, MRIs), PDFs, scanned medical records, images, and videos. Encrypted Search Search encrypted data stored in TrueVault. Query (GET) documents by any field, not just the documentId.
  • 33. TrueVault Features HIPAA compliant database-as-a-service Browser-to-TrueVault Upload Browser-to-TrueVault direct file upload and download web form. You can upload binary files directly to TrueVault’s BLOB Store using HTML forms. User Management and Authentication User Management console. You can create and manage users, groups, and permissions via TrueVault so that PHI never touches your stack. TrueVault provides identity and access management, plus 2-factor authentication out of the box. Use our identity API for custom access flows or add Sign-In, Sign-Up, and My Account pages in seconds with our JavaScript user controls. Encryption and Decryption TrueVault encrypts all at-rest data with AES-256 and stores keys securely. Our infrastructure for healthcare data storage and transmission runs in a separate hosting environment inaccessible by our primary services.
  • 34. TrueVault Features HIPAA compliant database-as-a-service Audit Control Every user action and API call is automatically recorded for compliance. An audit log can be searched and retrieved via our API. Automatic Logoff Configure the automatic user session timeout window via our API or the Management Console. Emergency Access Easily add an Emergency Access Request page to your app with a CNAME record. We’ll handle the authentication flow for you, and track activities for compliance. Single-user credentials can also be created via the API for custom emergency workflows.
  • 35. TrueVault Features HIPAA compliant database-as-a-service Proactive Monitoring TrueVault’s proprietary anomaly-based detection algorithm will alert you, or your customer, when abnormal user activity is detected. At-Rest Data Integrity A checksum is computed for every at-rest record, and the integrity of the data is continuously checked. Integrity Control and Encryption TrueVault regularly audits the details of our implementation: the certificates we serve, our certificate authorities, and our ciphers. We ensure that browsers and API clients interact with TrueVault over HTTPS only.
  • 36. HIPAA compliant database-as-a-service "Becoming HIPAA compliant as an early stage organization was a daunting task, until we found TrueVault! Their turn-key API has allowed us to check this box and get back to focusing on our core product and offering." Edith Elliott
 CEO Noora Health
  • 37. Try TrueVault for Free HIPAA compliant database-as-a-service $0.001 / API call / monthFree for Development • No credit card required. • No time limit on the free trial period. • Unlimited API calls and storage. • But, no BAA and no insurance. API Calls Monthly Cost 
0 -100,000 $100 101,000 $101 250,000 $250 1,000,000 $1,000 • Unlimited JSON documents • Unlimited BLOB objects • Business Associated Agreement • Privacy/Data Breach Insurance • Service Level Agreement Get Started