3. Step 2: Technical Safeguards!
• Digital Security of ePHI!
• Required vs Addressable!
• Am I HIPAA compliant if I just deploy my code to a HIPAA
compliant hosting environment?!
!
4. Technical Safeguards!
1. Access Control - Unique User Identification (required):
Assign a unique name and/or number for identifying and
tracking user identity.!
!
2. Access Control - Emergency Access Procedure (required):
Establish (and implement as needed) procedures for
obtaining necessary ePHI during an emergency.!
3. Access Control - Automatic Logoff (addressable):
Implement electronic procedures that terminate an electronic
session after a predetermined time of inactivity.!
!
4. Access Control - Encryption and Decryption (addressable):
Implement a mechanism to encrypt and decrypt ePHI.!
5. Technical Safeguards
5. Audit Controls (required): Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information
systems that contain or use ePHI.!
6. Integrity - Mechanism to Authenticate ePHI (addressable):
Implement electronic mechanisms to corroborate that ePHI has not
been altered or destroyed in an unauthorized manner.!
7. Authentication (required): Implement procedures to verify that a
person or entity seeking access to ePHI is the one claimed.!
!
8. Transmission Security - Integrity Controls (addressable): Implement
security measures to ensure that electronically transmitted ePHI is not
improperly modified without detection until disposed of.!
!
9. Transmission Security - Encryption (addressable): Implement a
mechanism to encrypt ePHI whenever deemed appropriate.!
9. Step 4: HIPAA Audit!
• Who Certifies HIPAA Compliance?!
• 3rd party Audits!
• What is the process like?!
• Cost!
• Time!
• Any other audits?!
10. Step 5: Insurance!
• Cyber Liability and Data Breach Insurance!
• Policy Issuers!
• Indemnification!
• Costs/Coverage!
11. What Else Do I Need to Know?!
• Typical implementation frame!
• HIPAA will change!
• On-going maintenance!
• Staffing!
• There must be an easier way ;-)!
12. What Else Do I Need to Know?!
• Typical implementation frame!
• HIPAA will change!
• On-going maintenance!
• Staffing!
• There must be an easier way ;-)!
13. • HIPAA Compliant Data Store!
Standard
Database
TrueVault
(HIPAA
Compliant)
non-‐PHI
Data
PHI
Data
(REST
API)
14. Physical
Safeguards
Facility
Access
Ctrl,
WorkstaGon
Use
and
Security,
Devices
and
Media
Controls
Technical
Safeguards
EncrypGon
and
DecrypGon,
Key
Management,
Key
RotaGon,
Access
Control,
Unique
User
IdenGficaGon,
Emergency
Access,
AutomaGc
Logoff,
Audit
Controls,
Mechanism
to
AuthenGcate
Electronic
PHI,
Person
or
EnGty
AuthenGcaGon,
Transmission
Security,
Integrity
Controls
AdministraGve
Safeguards
HIPAA
Compliant
HosGng
TrueVault
• TrueVault
handles
both
Technical
and
Physical
Safeguards.
• Developers
can
quickly
start
development
on
healthcare
applicaGons
without
building
a
HIPAA
compliant
infrastructure.
• FireHost
and
AWS
have
high
minimum
charges
($1,115
and
$1,500)
and
offer
no
help
with
the
Technical
Safeguards.
15. • RESTful API - No Steps 1 through 5 to worry about !
• BAA + Insurance!
• Works well with existing infrastructure!
• 400+ Customers!
• Usage based pricing, no contracts!
16. Q&A Time!
Shameless Promotions:!
!
• TrueVault is hiring Developers, DevOps Engineers in San Francisco !
• Join our iOS SDK beta list – Be the first to release an iOS app leveraging Health Book!
http://go.truevault.com/ios8!
!