HxRefactored, profile picture
Uploaded byHxRefactored
PDF, PPTX987 views

HxRefactored - TrueVault - Jason Wang

The document provides an overview of key concepts related to HIPAA compliance for developers, including: - HIPAA was established in 1996 and updated in 2009 and 2013 to protect individuals' personal health information. - Developers need to focus on complying with the Technical and Physical Safeguards outlined in the HIPAA Security Rule which address access controls, encryption, auditing and physical security measures. - Any individual or organization that handles protected health information, including healthcare providers, insurers, and their business partners that have access to PHI, are required to comply with HIPAA and ensure systems are secure and private health data is protected.

Embed presentation

Download as PDF, PPTX
Decoding HIPAA for Developers! Jason Wang! Founder & CEO, TrueVault!
1996 - HIPAA !!
1996 - HIPAA!
1996 – HIPAA! ! 2009 – HITECH! ! 2013 – Final Omnibus Rule Update!
HIPAA Acronyms! PHI – Protected Health Information! ! CE – Covered Entities! BA – Business Associates! BAA – Business Associate Agreement!
HIPAA   Privacy  Rule  Security  Rule   Administra6ve   Safeguards   Technical   Safeguards   Physical   Safeguards   Enforcement   Rule   Breach   No6fica6on  Rule  
HIPAA   Privacy  Rule  Security  Rule   Administra6ve   Safeguards   Technical   Safeguards   Physical   Safeguards   Enforcement   Rule   Breach   No6fica6on  Rule   If  you’re  a  developer  trying  to  understand  the   scope  of  the  build,  then  you  need  to  focus  on   the  Technical  and  Physical  Safeguards  spelled   out  in  the  Security  Rule;  these  two  sec6ons   comprise  the  majority  of  your  to-­‐do  list.    
Who Needs to be HIPAA Compliant? If you handle PHI then you need to be HIPAA compliant.! ! The HIPAA rules apply to both Covered Entities and their Business Associates! !
Who Certifies HIPAA Compliance? The short answer is no one.!
“required” vs. “addressable”! Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented.! ! It is important to remember that an addressable implementation specification is not optional. ! ! When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.! Addressable does NOT mean optional!
Technical Safeguards! 1.  Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.! ! 2.  Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.! 3.  Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.! ! 4.  Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.!
Technical Safeguards 5.  Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.! 6.  Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.! 7.  Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.! ! 8.  Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.! ! 9.  Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.!
Physical Safeguards 1.  Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.! 2.  Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.! 3.  Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
Physical Safeguards 4.  Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).! 5.  Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.! 6.  Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
Physical Safeguards 7.  Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.! ! 8.  Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.! ! 9.  Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.! ! 10.  Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
What Else? •  Emails, texts, voicemails! •  3rd party tools (MixPanel, Loggly, New Relic, etc)! •  Administrative Safeguards! •  Building a HIPAA compliant infrastructure!
Q&A Time! Shameless Promotions:! ! •  TrueVault is hiring Developers, DevOps Engineers in San Francisco ! •  Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book! http://go.truevault.com/ios8! !
Thank  you!   Jason  Wang   Founder  &  CEO,  TrueVault  
May  29,  2014   Confiden6al  -­‐  Not  for   What is Protected Health Information (PHI)? PHI  is  any  informa6on  in  a  medical  record  that  can  be  used  to  iden6fy   an  individual,  and  that  was  created,  used,  or  disclosed  in  the  course  of   providing  a  healthcare  service,  such  as  a  diagnosis  or  treatment.     PHI  is  informa6on  in  your  medical  records,  including  conversa6ons   between  your  doctors  and  nurses  about  your  treatment.  PHI  also   includes  your  billing  informa6on  and  any  medical  informa6on  in  your   health  insurance  company's  computer  system.     This  includes  any  individually  iden6fiable  health  informa6on  collected   from  an  individual  by  a  healthcare  provider,  employer  or  plan  that   includes  name,  social  security  number,  phone  number,  medical   history,  current  medical  condi6on,  test  results  and  more.     Electronic  Protected  Health  Informa3on  (EPHI)   All  individually  iden6fiable  health  informa6on  that  is  created,   maintained,  or  transmiZed  electronically.    
May  29,  2014   Confiden6al  -­‐  Not  for   Covered Entity (CE) Anyone  who  provides  treatment,  payment  and  opera6ons   in  healthcare.       It  could  include  a  doctor’s  office,  dental  office,  clinics,   psychologist,  nursing  home,  pharmacy,  hospital  or  home   healthcare  agency.       This  also  includes  health  plans,  health  insurance   companies,  HMOs,  company  health  plans  and  government   programs  that  pay  for  health  care.       Health  clearing  houses  are  also  considered  covered   en66es.    
May  29,  2014   Confiden6al  -­‐  Not  for   Business Associate Anyone  who  has  access  to  pa6ent  informa6on,  whether  directly,  indirectly,   physically  or  virtually.       Addi6onally,  any  organiza6on  that  provides  support  in  the  treatment,   payment  or  opera6ons  is  considered  a  business  associate,  i.e.  an  IT  company   or  a  mHealth  applica6on  that  provides  secure  photo-­‐sharing  for  physicians.     Other  examples  include  a  document  destruc6on  company,  a  telephone   service  provider,  accountant,  or  lawyer.       The  business  associates  also  have  the  responsibility  to  achieve  and  maintain   HIPAA  compliance  in  terms  of  all  of  the  internal,  administra6ve,  and  technical   safeguards.       A  business  associate  does  not  work  under  the  covered  en6ty’s  workforce,  but   instead  performs  some  type  of  service  on  their  behalf.    

More Related Content

PDF
HIPAA HiTech Security Assessment
bydata brackets
 
PPTX
Comp8 unit6a lecture_slides
byCMDLMS
 
PDF
Hipaa Gap Assessment.Sanitized Report
bytbeckwith
 
PDF
Mobile Device Security
byBen Quirk
 
PDF
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
byCharles McNeil
 
PPTX
Dental Compliance for Dentists and Business Associates
bygppcpa
 
PPSX
Mbm Hipaa Hitech Ss Compliance Risk Assessment
byMBMeHealthCareSolutions
 
PDF
HxRefactored - TrueVault - Jason Wang - API Pitch
byHxRefactored
 
HIPAA HiTech Security Assessment
bydata brackets
 
Comp8 unit6a lecture_slides
byCMDLMS
 
Hipaa Gap Assessment.Sanitized Report
bytbeckwith
 
Mobile Device Security
byBen Quirk
 
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
byCharles McNeil
 
Dental Compliance for Dentists and Business Associates
bygppcpa
 
Mbm Hipaa Hitech Ss Compliance Risk Assessment
byMBMeHealthCareSolutions
 
HxRefactored - TrueVault - Jason Wang - API Pitch
byHxRefactored
 

What's hot

PDF
EHR meaningful use security risk assessment sample document
bydata brackets
 
PDF
Ecfirstbiz
byshailu devi
 
PDF
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
byCompliancy Group
 
PDF
HIPAA Solutions on Cloud Foundry
byJim Shingler
 
PDF
Security White Paper From Paychex
bycboston
 
PDF
Web Werks Data Center Achieves HIPAA Compliance Certification
byWeb Werks Data Centers
 
PPTX
Security & Privacy - Lecture E
byCMDLearning
 
PPT
FRSecure Sales Deck
byEvan Francen
 
PDF
How to Secure Your Medical Devices
bySecurityMetrics
 
PPTX
Meaningful Use and Security Risk Analysis
byEvan Francen
 
PPTX
Norris, t week 1 discussion 2
byTina Norris
 
PDF
HIPAA eBOOK: Avoid Common HIPAA Violations
byOnRamp
 
PPT
Confidentiality
byDiana Fernandez
 
PPTX
Security Crossroads of Healthcare reforms and IoT enabled E-health
byRajesh Vargheese
 
PDF
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
byU.S. News Healthcare of Tomorrow
 
PPTX
Security in electronic health records
bysamuelerie
 
DOCX
Common Security Framework Summary
byJason Rusch - CISSP CGEIT CISM CISA GNSA
 
EHR meaningful use security risk assessment sample document
bydata brackets
 
Ecfirstbiz
byshailu devi
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
byCompliancy Group
 
HIPAA Solutions on Cloud Foundry
byJim Shingler
 
Security White Paper From Paychex
bycboston
 
Web Werks Data Center Achieves HIPAA Compliance Certification
byWeb Werks Data Centers
 
Security & Privacy - Lecture E
byCMDLearning
 
FRSecure Sales Deck
byEvan Francen
 
How to Secure Your Medical Devices
bySecurityMetrics
 
Meaningful Use and Security Risk Analysis
byEvan Francen
 
Norris, t week 1 discussion 2
byTina Norris
 
HIPAA eBOOK: Avoid Common HIPAA Violations
byOnRamp
 
Confidentiality
byDiana Fernandez
 
Security Crossroads of Healthcare reforms and IoT enabled E-health
byRajesh Vargheese
 
Safeguarding Patient Privacy in a Digital Age (Meredith Phillips)
byU.S. News Healthcare of Tomorrow
 
Security in electronic health records
bysamuelerie
 
Common Security Framework Summary
byJason Rusch - CISSP CGEIT CISM CISA GNSA
 

Viewers also liked

DOCX
Aduana12
byFernando Montero
 
PPTX
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...
byHxRefactored
 
PPTX
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora Health
byHxRefactored
 
PDF
HIPAA Compliance for Developers
byTrueVault
 
PPTX
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*Pow
byHxRefactored
 
PDF
Diario guido 9 12 pag - 2013
byCentro Educativo para la Producción Total N° 28, General. Guido, Bs. As.
 
PPT
Unidad II
byAntonio G.
 
PPTX
Planeacion de un_wiki_icagra
byEscuela Pública Vespertina Agustín Melgar
 
PPT
Erp
byUniversidad Metropolitana - Venezuela
 
PPT
A LOMCE para profes, nais e pais.
bycastrexo33
 
PPTX
communication
bymonika sharma
 
PPTX
22560 luz mila galvis valbuena
by2015andes
 
DOCX
Seminario5
byBelen Rojano Santiago
 
PPSX
Adviento
byRamón Rodolfo Olmedo
 
PPTX
Ciclo vital de la informacion y fases
byNatalia Areiza
 
PDF
Designing for the iPad
byusabilitynj
 
PDF
Contabilidade respostas 025
bygeral contabil
 
DOCX
Formación de el núcleo familiar
byjenifferselena
 
DOC
Guia 10
byManuHilda
 
PDF
6A- Vigilancia sindrómica
byTania Acevedo-Villar
 
Aduana12
byFernando Montero
 
HXR 2016: Designing for Addiction and Recovery -Mary Beth Schoening, Behavior...
byHxRefactored
 
HXR 2016: New Models for Care Delivery -Andrew Schutzbank, Iora Health
byHxRefactored
 
HIPAA Compliance for Developers
byTrueVault
 
HXR 2016: Sustainable Design -Jen Briselli, James Christie, Mad*Pow
byHxRefactored
 
Diario guido 9 12 pag - 2013
byCentro Educativo para la Producción Total N° 28, General. Guido, Bs. As.
 
Unidad II
byAntonio G.
 
Planeacion de un_wiki_icagra
byEscuela Pública Vespertina Agustín Melgar
 
Erp
byUniversidad Metropolitana - Venezuela
 
A LOMCE para profes, nais e pais.
bycastrexo33
 
communication
bymonika sharma
 
22560 luz mila galvis valbuena
by2015andes
 
Seminario5
byBelen Rojano Santiago
 
Adviento
byRamón Rodolfo Olmedo
 
Ciclo vital de la informacion y fases
byNatalia Areiza
 
Designing for the iPad
byusabilitynj
 
Contabilidade respostas 025
bygeral contabil
 
Formación de el núcleo familiar
byjenifferselena
 
Guia 10
byManuHilda
 
6A- Vigilancia sindrómica
byTania Acevedo-Villar
 

Similar to HxRefactored - TrueVault - Jason Wang

PDF
HIPAA Compliance For Small Practices
byNisos Health
 
PPTX
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 
PPTX
Introduction to Health Informatics Ch11 power point
bybradleyl2
 
PPTX
Chapter 14: Regulatory Compliance for the Healthcare Sector
byNada G.Youssef
 
PPTX
Mha 690 ppt hipaa for healthcare professionals
bylee5lee
 
PPTX
B johnson unit 3 final project completion
byBrittany Johnson
 
PDF
Securing Healthcare Data on AWS for HIPAA
byAlert Logic
 
PPT
Medical Records on the Run: Protecting Patient Data with Device Control and...
byLumension
 
PDF
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
PDF
Hipaa training new_staff_december 2018 - compatibility mode
byrobint2125
 
PPTX
Hipaa security compliance checklist for developers & business associates
byShoba Krishnamurthy
 
PDF
Hipaa basics
byMichaelRodriguesdosS1
 
PPTX
HIPAA
byAlanoud Alqoufi
 
PDF
A brief introduction to hipaa compliance
byPrince George
 
PPTX
Comp8 unit6b lecture_slides
byCMDLMS
 
PDF
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
PPT
Group presentation hippa ppt
byMari Mina
 
PPTX
Hm300 week 7 part 2 of 2
byBHUOnlineDepartment
 
PDF
HIPAA2
byChris Lee
 
PPTX
Hipaa basics pp2
bymartykoepke
 
HIPAA Compliance For Small Practices
byNisos Health
 
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 
Introduction to Health Informatics Ch11 power point
bybradleyl2
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
byNada G.Youssef
 
Mha 690 ppt hipaa for healthcare professionals
bylee5lee
 
B johnson unit 3 final project completion
byBrittany Johnson
 
Securing Healthcare Data on AWS for HIPAA
byAlert Logic
 
Medical Records on the Run: Protecting Patient Data with Device Control and...
byLumension
 
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
Hipaa training new_staff_december 2018 - compatibility mode
byrobint2125
 
Hipaa security compliance checklist for developers & business associates
byShoba Krishnamurthy
 
Hipaa basics
byMichaelRodriguesdosS1
 
HIPAA
byAlanoud Alqoufi
 
A brief introduction to hipaa compliance
byPrince George
 
Comp8 unit6b lecture_slides
byCMDLMS
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
Group presentation hippa ppt
byMari Mina
 
Hm300 week 7 part 2 of 2
byBHUOnlineDepartment
 
HIPAA2
byChris Lee
 
Hipaa basics pp2
bymartykoepke
 

More from HxRefactored

PDF
HXR 2017: Denise Gosnell, Pokitdok: Blockchain: The Now and The Future:
byHxRefactored
 
PPTX
HXR 2017: Susan Hunt Stevens, WeSpire: Holistic Wellbeing
byHxRefactored
 
PDF
HXR 2017: John Weiss, Human Design: Building a Culture of Health
byHxRefactored
 
PDF
HXR 2017: Juhan Sonin, GoInvo
byHxRefactored
 
PDF
HXR 2017: Heather Patrick, Carrot Sense: Motivation and Health Behavior Change
byHxRefactored
 
PPTX
HXR 2017: Casey Quinlan: the Price is Right
byHxRefactored
 
PPTX
HXR 2017: Bakul Patel: How the FDA Is Promoting Innovation and Protecting the...
byHxRefactored
 
PPTX
HXR 2017: Jay Gupta, RxRelax: RxRelax to Reverse Polypharmacy Trends
byHxRefactored
 
PPTX
HXR 2017: Kathleen Howland, Berklee College of Music: Music Therapy in Health...
byHxRefactored
 
PPTX
HXR 2017: Center for Health Experience Design Announcement
byHxRefactored
 
PPTX
HXR 2017: Paul Kahn, Mad*Pow: Lessons Learned from a Bill you can understand
byHxRefactored
 
PPTX
HXR 2017: Design Challenge Announcement!
byHxRefactored
 
PPTX
HXR 2017: Aneesh Chopra, NavHealth: Call to Action: All Hands on Deck to Brin...
byHxRefactored
 
PPTX
HXR 2017: Amy Cueva, Mad*Pow: Purpose Driven Design
byHxRefactored
 
PPTX
HXR 2016: Addressing the Opioid Crisis
byHxRefactored
 
PPTX
HXR 2016: New Models for Care Delivery -Ethan Berke, Dartmouth-Hitchcock
byHxRefactored
 
PPTX
HXR 2016: Human Focused Innovation in a Clinical Setting -Lesley Solomon, Bri...
byHxRefactored
 
PPTX
HXR 2016: Human Focused Innovation in a Clinical Setting -Jennie Kung, UCLA H...
byHxRefactored
 
PPTX
HXR 2016: Human Focused Innovation in a Clinical Setting -Dr. Nancy Hanrahan,...
byHxRefactored
 
PPTX
HXR 2016: Human Focused Innovation in a Clinical Setting -Marnie de Mooij, Ma...
byHxRefactored
 
HXR 2017: Denise Gosnell, Pokitdok: Blockchain: The Now and The Future:
byHxRefactored
 
HXR 2017: Susan Hunt Stevens, WeSpire: Holistic Wellbeing
byHxRefactored
 
HXR 2017: John Weiss, Human Design: Building a Culture of Health
byHxRefactored
 
HXR 2017: Juhan Sonin, GoInvo
byHxRefactored
 
HXR 2017: Heather Patrick, Carrot Sense: Motivation and Health Behavior Change
byHxRefactored
 
HXR 2017: Casey Quinlan: the Price is Right
byHxRefactored
 
HXR 2017: Bakul Patel: How the FDA Is Promoting Innovation and Protecting the...
byHxRefactored
 
HXR 2017: Jay Gupta, RxRelax: RxRelax to Reverse Polypharmacy Trends
byHxRefactored
 
HXR 2017: Kathleen Howland, Berklee College of Music: Music Therapy in Health...
byHxRefactored
 
HXR 2017: Center for Health Experience Design Announcement
byHxRefactored
 
HXR 2017: Paul Kahn, Mad*Pow: Lessons Learned from a Bill you can understand
byHxRefactored
 
HXR 2017: Design Challenge Announcement!
byHxRefactored
 
HXR 2017: Aneesh Chopra, NavHealth: Call to Action: All Hands on Deck to Brin...
byHxRefactored
 
HXR 2017: Amy Cueva, Mad*Pow: Purpose Driven Design
byHxRefactored
 
HXR 2016: Addressing the Opioid Crisis
byHxRefactored
 
HXR 2016: New Models for Care Delivery -Ethan Berke, Dartmouth-Hitchcock
byHxRefactored
 
HXR 2016: Human Focused Innovation in a Clinical Setting -Lesley Solomon, Bri...
byHxRefactored
 
HXR 2016: Human Focused Innovation in a Clinical Setting -Jennie Kung, UCLA H...
byHxRefactored
 
HXR 2016: Human Focused Innovation in a Clinical Setting -Dr. Nancy Hanrahan,...
byHxRefactored
 
HXR 2016: Human Focused Innovation in a Clinical Setting -Marnie de Mooij, Ma...
byHxRefactored
 

Recently uploaded

PPTX
Seminar on Ebola virus , سیمینارێکی ئامادەکراو لەسەر Ebola virus
bydanaShalal2
 
PPTX
COGNITION IN DEPRESSION
byDr Hari Ram Sedai
 
PPTX
Drug delivery system- Nanotechnology.pptx
byDr. Vaishnavi B R
 
PDF
RETINAL VEIN OCCLUSION; CRVO & BRVO types, pathophysiology, diagnosis & manag...
bySamikshaRai22
 
PPTX
Labour1.docx-flashcards.pptx..............
bySir Fad'hi
 
PDF
Anxiety and Antianxiety Drugs: Pathophysiology of Anxiety Disorders, Classifi...
byShagufta Farooqui
 
PPTX
Basic overview and structural elucidation of Morphine
bySumitSharma743530
 
PPT
New Kids on the Block in mHSPC: Personalising Approaches Through Emerging Pre...
byPVI, PeerView Institute for Medical Education
 
PPTX
EYELID TUMOURS . CLINICAL FEATURES . DIAGNOSIS . SURGICAL MANAGEMENT
byDr Aarushi Choudhary
 
PPTX
Pressure ulcer Internal KPIs results for July,2024.pptx
byprofyasser95
 
PPTX
Organization, Premises, Equipment & Raw Materials The Pillars of Pharmaceutic...
byDr. Smita Kumbhar
 
PDF
स्वास्थ्यकर्मी_पारिश्रमिक_तथा_सेवा_सुविधा_प्रतिवेदन_२०८२
byPublic Health Concern Nepal
 
PPTX
Historical background and development of profession of pharmacy pptx
byGulam Muheyuddeen
 
PPTX
NUCLEAR CARDIOLOGY2025bbbbbbbbbbbbbbbbbb.pptx
byhospital
 
PPTX
Unit- II (Bioavaliability & Bioequivalence).pptx
byUditiHanda
 
PPTX
Swallowing & Swallowing Disorders SLP_1 lecture 4.pptx
byDr Zonera Khalid PT
 
PDF
Femoral Triangle-Prof.Dr.N.Mugunthan KMMC Medical College, Muttom.pdf
byKanyakumari Medical Mission Research Center, Muttom
 
PPT
Beyond Myasthenia Gravis: What Are We Learning About FcRn Inhibitors in Other...
byPeerVoice
 
PPTX
NEUROBIOLOGY OF AUTISM SPECTRUM DISORDER
byDr Hari Ram Sedai
 
PPTX
MICROSPORIDIAL KERATITIS , CLINICAL FEATURES , TREATMENT
byDr Aarushi Choudhary
 
Seminar on Ebola virus , سیمینارێکی ئامادەکراو لەسەر Ebola virus
bydanaShalal2
 
COGNITION IN DEPRESSION
byDr Hari Ram Sedai
 
Drug delivery system- Nanotechnology.pptx
byDr. Vaishnavi B R
 
RETINAL VEIN OCCLUSION; CRVO & BRVO types, pathophysiology, diagnosis & manag...
bySamikshaRai22
 
Labour1.docx-flashcards.pptx..............
bySir Fad'hi
 
Anxiety and Antianxiety Drugs: Pathophysiology of Anxiety Disorders, Classifi...
byShagufta Farooqui
 
Basic overview and structural elucidation of Morphine
bySumitSharma743530
 
New Kids on the Block in mHSPC: Personalising Approaches Through Emerging Pre...
byPVI, PeerView Institute for Medical Education
 
EYELID TUMOURS . CLINICAL FEATURES . DIAGNOSIS . SURGICAL MANAGEMENT
byDr Aarushi Choudhary
 
Pressure ulcer Internal KPIs results for July,2024.pptx
byprofyasser95
 
Organization, Premises, Equipment & Raw Materials The Pillars of Pharmaceutic...
byDr. Smita Kumbhar
 
स्वास्थ्यकर्मी_पारिश्रमिक_तथा_सेवा_सुविधा_प्रतिवेदन_२०८२
byPublic Health Concern Nepal
 
Historical background and development of profession of pharmacy pptx
byGulam Muheyuddeen
 
NUCLEAR CARDIOLOGY2025bbbbbbbbbbbbbbbbbb.pptx
byhospital
 
Unit- II (Bioavaliability & Bioequivalence).pptx
byUditiHanda
 
Swallowing & Swallowing Disorders SLP_1 lecture 4.pptx
byDr Zonera Khalid PT
 
Femoral Triangle-Prof.Dr.N.Mugunthan KMMC Medical College, Muttom.pdf
byKanyakumari Medical Mission Research Center, Muttom
 
Beyond Myasthenia Gravis: What Are We Learning About FcRn Inhibitors in Other...
byPeerVoice
 
NEUROBIOLOGY OF AUTISM SPECTRUM DISORDER
byDr Hari Ram Sedai
 
MICROSPORIDIAL KERATITIS , CLINICAL FEATURES , TREATMENT
byDr Aarushi Choudhary
 

HxRefactored - TrueVault - Jason Wang

  • 1.
    Decoding HIPAA forDevelopers! Jason Wang! Founder & CEO, TrueVault!
  • 2.
  • 3.
  • 4.
    1996 – HIPAA! ! 2009– HITECH! ! 2013 – Final Omnibus Rule Update!
  • 5.
    HIPAA Acronyms! PHI –Protected Health Information! ! CE – Covered Entities! BA – Business Associates! BAA – Business Associate Agreement!
  • 6.
    HIPAA   Privacy  Rule  Security  Rule   Administra6ve   Safeguards   Technical   Safeguards   Physical   Safeguards   Enforcement   Rule   Breach   No6fica6on  Rule  
  • 7.
    HIPAA   Privacy  Rule  Security  Rule   Administra6ve   Safeguards   Technical   Safeguards   Physical   Safeguards   Enforcement   Rule   Breach   No6fica6on  Rule   If  you’re  a  developer  trying  to  understand  the   scope  of  the  build,  then  you  need  to  focus  on   the  Technical  and  Physical  Safeguards  spelled   out  in  the  Security  Rule;  these  two  sec6ons   comprise  the  majority  of  your  to-­‐do  list.    
  • 8.
    Who Needs tobe HIPAA Compliant? If you handle PHI then you need to be HIPAA compliant.! ! The HIPAA rules apply to both Covered Entities and their Business Associates! !
  • 9.
    Who Certifies HIPAACompliance? The short answer is no one.!
  • 10.
    “required” vs. “addressable”! Someimplementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented.! ! It is important to remember that an addressable implementation specification is not optional. ! ! When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.! Addressable does NOT mean optional!
  • 11.
    Technical Safeguards! 1.  AccessControl - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.! ! 2.  Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.! 3.  Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.! ! 4.  Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.!
  • 12.
    Technical Safeguards 5.  AuditControls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.! 6.  Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.! 7.  Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.! ! 8.  Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.! ! 9.  Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.!
  • 13.
    Physical Safeguards 1.  FacilityAccess Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.! 2.  Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.! 3.  Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
  • 14.
    Physical Safeguards 4.  FacilityAccess Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).! 5.  Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.! 6.  Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
  • 15.
    Physical Safeguards 7.  Deviceand Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.! ! 8.  Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.! ! 9.  Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.! ! 10.  Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.! HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!
  • 16.
    What Else? •  Emails,texts, voicemails! •  3rd party tools (MixPanel, Loggly, New Relic, etc)! •  Administrative Safeguards! •  Building a HIPAA compliant infrastructure!
  • 17.
    Q&A Time! Shameless Promotions:! ! • TrueVault is hiring Developers, DevOps Engineers in San Francisco ! •  Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book! http://go.truevault.com/ios8! !
  • 18.
    Thank  you!   Jason  Wang   Founder  &  CEO,  TrueVault  
  • 19.
    May  29,  2014   Confiden6al  -­‐  Not  for   What is Protected Health Information (PHI)? PHI  is  any  informa6on  in  a  medical  record  that  can  be  used  to  iden6fy   an  individual,  and  that  was  created,  used,  or  disclosed  in  the  course  of   providing  a  healthcare  service,  such  as  a  diagnosis  or  treatment.     PHI  is  informa6on  in  your  medical  records,  including  conversa6ons   between  your  doctors  and  nurses  about  your  treatment.  PHI  also   includes  your  billing  informa6on  and  any  medical  informa6on  in  your   health  insurance  company's  computer  system.     This  includes  any  individually  iden6fiable  health  informa6on  collected   from  an  individual  by  a  healthcare  provider,  employer  or  plan  that   includes  name,  social  security  number,  phone  number,  medical   history,  current  medical  condi6on,  test  results  and  more.     Electronic  Protected  Health  Informa3on  (EPHI)   All  individually  iden6fiable  health  informa6on  that  is  created,   maintained,  or  transmiZed  electronically.    
  • 20.
    May  29,  2014   Confiden6al  -­‐  Not  for   Covered Entity (CE) Anyone  who  provides  treatment,  payment  and  opera6ons   in  healthcare.       It  could  include  a  doctor’s  office,  dental  office,  clinics,   psychologist,  nursing  home,  pharmacy,  hospital  or  home   healthcare  agency.       This  also  includes  health  plans,  health  insurance   companies,  HMOs,  company  health  plans  and  government   programs  that  pay  for  health  care.       Health  clearing  houses  are  also  considered  covered   en66es.    
  • 21.
    May  29,  2014   Confiden6al  -­‐  Not  for   Business Associate Anyone  who  has  access  to  pa6ent  informa6on,  whether  directly,  indirectly,   physically  or  virtually.       Addi6onally,  any  organiza6on  that  provides  support  in  the  treatment,   payment  or  opera6ons  is  considered  a  business  associate,  i.e.  an  IT  company   or  a  mHealth  applica6on  that  provides  secure  photo-­‐sharing  for  physicians.     Other  examples  include  a  document  destruc6on  company,  a  telephone   service  provider,  accountant,  or  lawyer.       The  business  associates  also  have  the  responsibility  to  achieve  and  maintain   HIPAA  compliance  in  terms  of  all  of  the  internal,  administra6ve,  and  technical   safeguards.       A  business  associate  does  not  work  under  the  covered  en6ty’s  workforce,  but   instead  performs  some  type  of  service  on  their  behalf.