HIPAA Compliance for Developers

HIPAA Compliance
for Developers
Breaking down the regulatory issues around building
digital health apps for fun and proﬁt.
HIPAA compliant database-as-a-service

HIPAA Compliance is a  
Brutal Time Suck!
!
“[Building our own HIPAA compliant infrastructure] took upwards of
1,000 person-hours to ﬁgure out HIPAA-compliance issues. This will
continue to be an ongoing cost for us, because HIPAA is an ongoing law
and it changes sometimes. It takes substantial auditing time and money.
TrueVault would save us all that.”
 
Posted on Hacker News by jph 
(Unsolicited comment. Not a customer.)

First oﬀ, What is HIPAA?
Health Insurance Portability and Accountability Act
• HIPAA sets the standard for protecting sensitive patient data.
• Covered Entities and their Business Associates need to protect
the privacy and security of protected health information (PHI).
• Developed in 1996. HIPAA was initially created to help the public
with insurance portability. In addition, they built a series of privacy
tools to protect healthcare data.

What Does HIPAA Require?
1.Put safeguards in place to protect patient health information.
2.Reasonably limit use and sharing to the minimum necessary to
accomplish your intended purpose.
3.Have agreements in place with service providers that perform covered
functions. These agreements (BAAs) ensure that service providers
(Business Associates) use, safeguard and disclose patient information
properly.
4.Procedures to limit who can access patient health information, and
training programs about how to protect patient health information.

The Four Rules of HIPAA
Like the four horsemen, these are the major pieces that govern what you do
and how you do it.
1.HIPAA Privacy Rule
2.HIPAA Security Rule
3.HIPAA Enforcement Rule
4.HIPAA Breach Notiﬁcation Rule 
Developers need to focus on the Technical and Physical
safeguards outlined in the Security Rule.

The Privacy Rule
Addresses the saving, accessing and sharing of
medical and personal information of an individual,
including a patient’s own right to access.

The Security Rule
Outlines national security standards intended to
protect health data created, received, maintained,
or transmitted electronically.

The Security Rule
September 23, 2013
Before Sept 23. Rules applied to hospitals, doctors, clinics, etc. After Sept 23. The rules now apply to anyone
that touches PHI. 
 
(e.g. an IT company or a mHealth
application that provides secure photo-
sharing for physicians).
Any company that deals with protected health information (PHI) must
ensure that all the required physical, network, and process security
measures are in place and followed.

“Do I need to be
HIPAA compliant?”

“Do I need to be
HIPAA compliant?”
If you handle PHI then you need to be HIPAA compliant.
The HIPAA rules apply to both Covered Entities
and their Business Associates

What is Protected Health
Information (PHI)?
• PHI is any information in a medical record that can be used to
identify an individual, and that was created, used, or disclosed in
the course of providing a healthcare service.
• Includes:
• Medical records
• Billing information
• Health insurance information
• Any individually identiﬁable health information

Electronic Protected Health
Information (EPHI)
All individually identiﬁable health information that
is created, maintained, or transmitted
electronically.

Covered Entity (CE)
• Anyone who provides treatment, payment and operations in
healthcare.
• Includes:
• Doctor’s oﬃce, dental oﬃces, clinics, psychologists,
• Nursing home, pharmacy, hospital or home healthcare agency
• Health plans, insurance companies, HMOs
• Government programs that pay for healthcare
• Health clearing houses

Business Associate (BA)
• Anyone who has access to patient information, whether directly, indirectly,
physically or virtually.
• Any organization that provides support in the treatment, payment or operations
• Includes:
• IT providers, health applications
• Telephone service provider, document management and destruction
• Accountant, lawyer or other service provider
Business associates have the responsibility to achieve and maintain HIPAA
compliance in terms of all of the internal, administrative, and technical safeguards.

Exceptions
• Entities providing data transmission services, including services that
involve temporary storage of PHI that is incident to the
transmission (e.g. courier services and their electronic equivalents,
such as ISPs or telecoms).
While entities that are “mere conduits” for PHI are not Business Associates, the
rules emphasize that this exception is narrow.

“Who certiﬁes HIPAA
compliance?”

“Who certiﬁes HIPAA
compliance?”
The short answer is no one.

Who certifies HIPAA
compliance?
• Unlike PCI, there is no one that can “certify” that an organization is HIPAA
compliant.
• The Office for Civil Rights (OCR) from the Department of Health and Human
Services (HHS) is the federal governing body. HHS does not endorse or
recognize the “certifications” made by private organizations.
• The evaluation standard in the Security Rule § 164.308(a)(8) requires you to
perform a periodic technical and non-technical evaluation to make sure your
security policies and procedures meet security requirements.
• But, HHS doesn’t care if the evaluation is performed internally or by an external
organization.

Penalties & Fines
• Violations are expensive, to put it mildly.

“How do I become
HIPAA compliant?”

“How do I become
HIPAA compliant?”
The HIPAA Security Rule requires appropriate Administrative,
Physical, and Technical Safeguards to ensure the conﬁdentiality,
integrity, and security of protected health information (PHI).

3 Parts to the Security Rule
1.Administrative Safeguards
2.Technical Safeguards
3.Physical Safeguards

“required” vs. “addressable”
• Some implementation specifications are “required” and others are
“addressable.” Required implementation specifications must be
implemented.
• Addressable implementation specifications must be implemented if it is
reasonable and appropriate to do so; your choice must be documented.
• It is important to remember that an addressable implementation
specification is not optional.
When in doubt, you should just implement the addressable implementation
specifications. Most of them are best practices anyway.

Administrative Safeguards
The administrative components are really important when
implementing a HIPAA compliance program; you are required to:
1.Assign a privacy oﬃcer
2.Complete a risk assessment annually
3.Implement employee training
4.Review policies and procedures
5.Execute Business Associate Agreements (BAAs) with all partners
who handle protected health information (PHI)

Companies who can help with the administrative components of a
compliance program:
• Accountable -- http://accountablehq.com
• Compliance Helper -- http://www.compliancehelper.com
• Compliancy Group -- http://compliancy-group.com

Technical Safeguards
1.Access Control - Unique User Identiﬁcation (required): Assign a unique
name and/or number for identifying and tracking user identity.
2.Access Control - Emergency Access Procedure (required): Establish (and
implement as needed) procedures for obtaining necessary ePHI during an
emergency.
3.Access Control - Automatic Logoﬀ (addressable): Implement electronic
procedures that terminate an electronic session after a predetermined time of
inactivity.
4.Access Control - Encryption and Decryption (addressable): Implement a
mechanism to encrypt and decrypt ePHI.

5.Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that
record and examine activity in information systems that contain or use ePHI.
6.Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms
to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
7.Authentication (required): Implement procedures to verify that a person or entity seeking
access to ePHI is the one claimed.
8.Transmission Security - Integrity Controls (addressable): Implement security measures to
ensure that electronically transmitted ePHI is not improperly modiﬁed without detection until
disposed of.
9.Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI
whenever deemed appropriate.

Physical Safeguards
1.Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility
access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an
emergency.
2.Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the
equipment therein from unauthorized physical access, tampering, and theft.
3.Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate
a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for
testing and revision.
4.Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and
modiﬁcations to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
5.Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in
which those functions are to be performed, and the physical attributes of the surroundings of a speciﬁc workstation or class of
workstation that can access ePHI.
HIPAA Compliant Hosting Providers can take care of some of the Physical
Safeguards for you.

Physical Safeguards
6.Workstation Security (required): Implement physical safeguards for all workstations that
access ePHI, to restrict access to authorized users.
7.Device and Media Controls - Disposal (required): Implement policies and procedures to
address the ﬁnal disposition of ePHI, and/or the hardware or electronic media on which it is
stored.
8.Device and Media Controls - Media Re-Use (required): Implement procedures for removal of
ePHI from electronic media before the media are made available for re-use.
9.Device and Media Controls - Accountability (addressable): Maintain a record of the
movements of hardware and electronic media and any person responsible therefore.
10.Device and Media Controls - Data Backup and Storage (addressable): Create a
retrievable, exact copy of ePHI, when needed, before movement of equipment.

TrueVault Handles All
Technical Requirements
Encryption and Decryption, Key Management,
Key Rotation, Access Control, Unique User
Identification, Emergency Access, Automatic
Logoff, Audit Controls, Mechanism to
Authenticate Electronic PHI, Person or Entity
Authentication, Transmission Security, Integrity
Controls
Physical Safeguards
Facility Access Ctrl, Workstation Use and
Security, Devices and Media Controls
HIPAA Compliant
Hosting
TrueVault
• TrueVault handles both
Technical and Physical
Safeguards.
!
• Develop a healthcare
application without building a
HIPAA compliant infrastructure.
!
• FireHost and AWS have high
minimum charges ($1,115 and
$1,500) and offer no help with
the Technical Safeguards.

How Does TrueVault Fit In?
!
• Developers access TrueVault
via a RESTful API and native
clients.
!
• Typical integration takes days.
TrueVault works just like any
other API services.
!
• TrueVault provides all client-
side and server-side
functionalities required by
HIPAA.
Customer)Backend)Web)
Services))
Standard)Database)
TrueVault)
(HIPAA)Compliant))
non@PHI)Data)
PHI)Data)
(REST)API))

TrueVault Features
JSON Store
The TrueVault JSON Store is a lightweight, document-oriented
storage system, and enables persistent HIPAA compliant storage of
JSON documents.
BLOB Store
The TrueVault BLOB (binary large object) Store offers HIPAA compliant
binary storage for any file format. This includes DICOM files (e.g. X-Rays,
CT Scans, MRIs), PDFs, scanned medical records, images, and videos.
Encrypted Search
Search encrypted data stored in TrueVault. Query (GET) documents
by any field, not just the documentId.

TrueVault Features
Browser-to-TrueVault Upload
Browser-to-TrueVault direct file upload and download web form. You
can upload binary files directly to TrueVault’s BLOB Store using
HTML forms.
User Management and Authentication
User Management console. You can create and manage users, groups,
and permissions via TrueVault so that PHI never touches your stack.
TrueVault provides identity and access management, plus 2-factor
authentication out of the box. Use our identity API for custom access
flows or add Sign-In, Sign-Up, and My Account pages in seconds with
our JavaScript user controls.
Encryption and Decryption
TrueVault encrypts all at-rest data with AES-256 and stores keys
securely. Our infrastructure for healthcare data storage and
transmission runs in a separate hosting environment inaccessible by
our primary services.

TrueVault Features
Audit Control
Every user action and API call is automatically recorded for
compliance. An audit log can be searched and retrieved via our API.
Automatic Logoff
Configure the automatic user session timeout window via our API or the
Management Console.
Emergency Access
Easily add an Emergency Access Request page to your app with a
CNAME record. We’ll handle the authentication flow for you, and
track activities for compliance. Single-user credentials can also be
created via the API for custom emergency workflows.

TrueVault Features
Proactive Monitoring
TrueVault’s proprietary anomaly-based detection algorithm will alert
you, or your customer, when abnormal user activity is detected.
At-Rest Data Integrity
A checksum is computed for every at-rest record, and the integrity of
the data is continuously checked.
Integrity Control and Encryption
TrueVault regularly audits the details of our implementation: the
certiﬁcates we serve, our certiﬁcate authorities, and our ciphers. We
ensure that browsers and API clients interact with TrueVault over
HTTPS only.

"Becoming HIPAA compliant as an early stage organization was a
daunting task, until we found TrueVault! Their turn-key API has
allowed us to check this box and get back to focusing on our core
product and oﬀering."
Edith Elliott 
CEO Noora Health

Try TrueVault for Free
$0.001 / API call / monthFree for Development
• No credit card required.
• No time limit on the free trial period.
• Unlimited API calls and storage.
• But, no BAA and no insurance.
API Calls Monthly Cost
 0 -100,000 $100
101,000 $101
250,000 $250
1,000,000 $1,000
• Unlimited JSON documents
• Unlimited BLOB objects
• Business Associated Agreement
• Privacy/Data Breach Insurance
• Service Level Agreement
Get Started

HIPAA Compliance for Developers

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie HIPAA Compliance for Developers

Ähnlich wie HIPAA Compliance for Developers (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

HIPAA Compliance for Developers