Click here to load reader

HIPAA Compliance for Developers

  • View

  • Download

Embed Size (px)


Developers building healthcare applications for mobile devices, wearables and the desktop need to understand HIPAA requirements in order to build apps that are in compliance. This deck gives application developers an overview of the HIPAA rules and what it means for their software development.

Text of HIPAA Compliance for Developers

  • HIPAA Compliance for Developers Breaking down the regulatory issues around building digital health apps for fun and prot. HIPAA compliant database-as-a-service
  • HIPAA Compliance is a Brutal Time Suck! ! [Building our own HIPAA compliant infrastructure] took upwards of 1,000 person-hours to gure out HIPAA-compliance issues. This will continue to be an ongoing cost for us, because HIPAA is an ongoing law and it changes sometimes. It takes substantial auditing time and money. TrueVault would save us all that. Posted on Hacker News by jph (Unsolicited comment. Not a customer.) HIPAA compliant database-as-a-service
  • First o, What is HIPAA? Health Insurance Portability and Accountability Act HIPAA sets the standard for protecting sensitive patient data. Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI). Developed in 1996. HIPAA was initially created to help the public with insurance portability. In addition, they built a series of privacy tools to protect healthcare data. HIPAA compliant database-as-a-service
  • What Does HIPAA Require? 1.Put safeguards in place to protect patient health information. 2.Reasonably limit use and sharing to the minimum necessary to accomplish your intended purpose. 3.Have agreements in place with service providers that perform covered functions. These agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly. 4.Procedures to limit who can access patient health information, and training programs about how to protect patient health information. HIPAA compliant database-as-a-service
  • The Four Rules of HIPAA Like the four horsemen, these are the major pieces that govern what you do and how you do it. 1.HIPAA Privacy Rule 2.HIPAA Security Rule 3.HIPAA Enforcement Rule 4.HIPAA Breach Notication Rule HIPAA compliant database-as-a-service Developers need to focus on the Technical and Physical safeguards outlined in the Security Rule.
  • The Privacy Rule HIPAA compliant database-as-a-service Addresses the saving, accessing and sharing of medical and personal information of an individual, including a patients own right to access.
  • The Security Rule HIPAA compliant database-as-a-service Outlines national security standards intended to protect health data created, received, maintained, or transmitted electronically.
  • The Security Rule HIPAA compliant database-as-a-service September 23, 2013 Before Sept 23. Rules applied to hospitals, doctors, clinics, etc. After Sept 23. The rules now apply to anyone that touches PHI. (e.g. an IT company or a mHealth application that provides secure photo- sharing for physicians). Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
  • HIPAA compliant database-as-a-service Do I need to be HIPAA compliant?
  • HIPAA compliant database-as-a-service Do I need to be HIPAA compliant? If you handle PHI then you need to be HIPAA compliant. The HIPAA rules apply to both Covered Entities and their Business Associates
  • What is Protected Health Information (PHI)? PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service. Includes: Medical records Billing information Health insurance information Any individually identiable health information HIPAA compliant database-as-a-service
  • Electronic Protected Health Information (EPHI) HIPAA compliant database-as-a-service All individually identiable health information that is created, maintained, or transmitted electronically.
  • Covered Entity (CE) HIPAA compliant database-as-a-service Anyone who provides treatment, payment and operations in healthcare. Includes: Doctors oce, dental oces, clinics, psychologists, Nursing home, pharmacy, hospital or home healthcare agency Health plans, insurance companies, HMOs Government programs that pay for healthcare Health clearing houses
  • Business Associate (BA) HIPAA compliant database-as-a-service Anyone who has access to patient information, whether directly, indirectly, physically or virtually. Any organization that provides support in the treatment, payment or operations Includes: IT providers, health applications Telephone service provider, document management and destruction Accountant, lawyer or other service provider Business associates have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative, and technical safeguards.
  • Exceptions HIPAA compliant database-as-a-service Entities providing data transmission services, including services that involve temporary storage of PHI that is incident to the transmission (e.g. courier services and their electronic equivalents, such as ISPs or telecoms). While entities that are mere conduits for PHI are not Business Associates, the rules emphasize that this exception is narrow.
  • HIPAA compliant database-as-a-service Who certies HIPAA compliance?
  • HIPAA compliant database-as-a-service Who certies HIPAA compliance? The short answer is no one.
  • Who certies HIPAA compliance? Unlike PCI, there is no one that can certify that an organization is HIPAA compliant. The Oce for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body. HHS does not endorse or recognize the certications made by private organizations. The evaluation standard in the Security Rule 164.308(a)(8) requires you to perform a periodic technical and non-technical evaluation to make sure your security policies and procedures meet security requirements. But, HHS doesnt care if the evaluation is performed internally or by an external organization. HIPAA compliant database-as-a-service
  • Penalties & Fines Violations are expensive, to put it mildly. HIPAA compliant database-as-a-service
  • HIPAA compliant database-as-a-service How do I become HIPAA compliant?
  • HIPAA compliant database-as-a-service How do I become HIPAA compliant? The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the condentiality, integrity, and security of protected health information (PHI).
  • 3 Parts to the Security Rule 1.Administrative Safeguards 2.Technical Safeguards 3.Physical Safeguards HIPAA compliant database-as-a-service
  • required vs. addressable Some implementation specications are required and others are addressable. Required implementation specications must be implemented. Addressable implementation specications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. It is important to remember that an addressable implementation specication is not optional. HIPAA compliant database-as-a-service When in doubt, you should just implement the addressable implementation specications. Most of them are best practices anyway.
  • Administrative Safeguards The administrative components are really important when implementing a HIPAA compliance program; you are required to: 1.Assign a privacy ocer 2.Complete a risk assessment annually 3.Implement employee training 4.Review policies and procedures 5.Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI) HIPAA compliant database-as-a-service
  • Administrative Safeguards Companies who can help with the administrative components of a compliance program: Accountable -- Compliance Helper -- Compliancy Group -- HIPAA compliant database-as-a-service
  • Technical Safeguards 1.Access Control - Unique User Identication (required): Assign a unique name and/or number for identifying and tracking user identity. 2.Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. 3.Access Control - Automatic Logo (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. 4.Access Control - Encryption and Decryption (a

Search related