Decoding HIPAA for Developers!Jason Wang!Founder & CEO, TrueVault!

1996 - HIPAA!!

1996 - HIPAA!

1996 – HIPAA!!2009 – HITECH!!2013 – Final Omnibus Rule Update!

HIPAA Acronyms!

PHI – Protected Health Information!!CE – Covered Entities!BA – Business Associates!BAA – Business Associate Agreement!

HIPAA  

Privacy  Rule  Security  Rule  

Administra6ve  Safeguards  

Technical  Safeguards  

Physical  Safeguards  

Enforcement  Rule  

Breach  No6fica6on  Rule  

HIPAA  

Privacy  Rule  Security  Rule  

Administra6ve  Safeguards  

Technical  Safeguards  

Physical  Safeguards  

Enforcement  Rule  

Breach  No6fica6on  Rule  

If  you’re  a  developer  trying  to  understand  the  scope  of  the  build,  then  you  need  to  focus  on  the  Technical  and  Physical  Safeguards  spelled  out  in  the  Security  Rule;  these  two  sec6ons  comprise  the  majority  of  your  to-­‐do  list.    

Who Needs to be HIPAA Compliant?

If you handle PHI then you need to be HIPAA compliant.!!The HIPAA rules apply to both Covered Entities and their Business Associates!!

Who Certifies HIPAA Compliance?

The short answer is no one.!

“required” vs. “addressable”!

Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented.!!It is important to remember that an addressable implementation specification is not optional. !!When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.!

Addressable does NOT mean optional!

Technical Safeguards!1.  Access Control - Unique User Identification (required):

Assign a unique name and/or number for identifying and tracking user identity.!

!2.  Access Control - Emergency Access Procedure (required):

Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.!

3.  Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.!

!4.  Access Control - Encryption and Decryption (addressable):

Implement a mechanism to encrypt and decrypt ePHI.!

Technical Safeguards 5.  Audit Controls (required): Implement hardware, software, and/or

procedural mechanisms that record and examine activity in information systems that contain or use ePHI.!

6.  Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.!

7.  Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.!

!8.  Transmission Security - Integrity Controls (addressable): Implement

security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.!

!9.  Transmission Security - Encryption (addressable): Implement a

mechanism to encrypt ePHI whenever deemed appropriate.!

Physical Safeguards

1.  Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.!

2.  Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.!

3.  Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.!

HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!

Physical Safeguards

4.  Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).!

5.  Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.!

6.  Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.!

HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!

Physical Safeguards

7.  Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.!

!8.  Device and Media Controls - Media Re-Use (required): Implement

procedures for removal of ePHI from electronic media before the media are made available for re-use.!

!9.  Device and Media Controls - Accountability (addressable): Maintain

a record of the movements of hardware and electronic media and any person responsible therefore.!

!10.  Device and Media Controls - Data Backup and Storage

(addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.!

HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.!

What Else?

•  Emails, texts, voicemails!

•  3rd party tools (MixPanel, Loggly, New Relic, etc)!

•  Administrative Safeguards!

•  Building a HIPAA compliant infrastructure!

Q&A Time!Shameless Promotions:!!•  TrueVault is hiring Developers, DevOps Engineers in San Francisco !

•  Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book!http://go.truevault.com/ios8!

!

Thank  you!  

Jason  Wang  Founder  &  CEO,  TrueVault  

May  29,  2014   Confiden6al  -­‐  Not  for  Distribu6on  

What is Protected Health Information (PHI)? PHI  is  any  informa6on  in  a  medical  record  that  can  be  used  to  iden6fy  an  individual,  and  that  was  created,  used,  or  disclosed  in  the  course  of  providing  a  healthcare  service,  such  as  a  diagnosis  or  treatment.    PHI  is  informa6on  in  your  medical  records,  including  conversa6ons  between  your  doctors  and  nurses  about  your  treatment.  PHI  also  includes  your  billing  informa6on  and  any  medical  informa6on  in  your  health  insurance  company's  computer  system.    This  includes  any  individually  iden6fiable  health  informa6on  collected  from  an  individual  by  a  healthcare  provider,  employer  or  plan  that  includes  name,  social  security  number,  phone  number,  medical  history,  current  medical  condi6on,  test  results  and  more.    Electronic  Protected  Health  Informa3on  (EPHI)  All  individually  iden6fiable  health  informa6on  that  is  created,  maintained,  or  transmiZed  electronically.    

May  29,  2014   Confiden6al  -­‐  Not  for  Distribu6on  

Covered Entity (CE) Anyone  who  provides  treatment,  payment  and  opera6ons  in  healthcare.      It  could  include  a  doctor’s  office,  dental  office,  clinics,  psychologist,  nursing  home,  pharmacy,  hospital  or  home  healthcare  agency.      This  also  includes  health  plans,  health  insurance  companies,  HMOs,  company  health  plans  and  government  programs  that  pay  for  health  care.      Health  clearing  houses  are  also  considered  covered  en66es.    

May  29,  2014   Confiden6al  -­‐  Not  for  Distribu6on  

Business Associate Anyone  who  has  access  to  pa6ent  informa6on,  whether  directly,  indirectly,  physically  or  virtually.      Addi6onally,  any  organiza6on  that  provides  support  in  the  treatment,  payment  or  opera6ons  is  considered  a  business  associate,  i.e.  an  IT  company  or  a  mHealth  applica6on  that  provides  secure  photo-­‐sharing  for  physicians.    Other  examples  include  a  document  destruc6on  company,  a  telephone  service  provider,  accountant,  or  lawyer.      The  business  associates  also  have  the  responsibility  to  achieve  and  maintain  HIPAA  compliance  in  terms  of  all  of  the  internal,  administra6ve,  and  technical  safeguards.      A  business  associate  does  not  work  under  the  covered  en6ty’s  workforce,  but  instead  performs  some  type  of  service  on  their  behalf.