SlideShare une entreprise Scribd logo
1  sur  37
Télécharger pour lire hors ligne
HIPAA Compliance
for Developers
Breaking down the regulatory issues around building
digital health apps for fun and profit.
HIPAA compliant database-as-a-service
HIPAA Compliance is a 

Brutal Time Suck!
!
“[Building our own HIPAA compliant infrastructure] took upwards of
1,000 person-hours to figure out HIPAA-compliance issues. This will
continue to be an ongoing cost for us, because HIPAA is an ongoing law
and it changes sometimes. It takes substantial auditing time and money.
TrueVault would save us all that.”


Posted on Hacker News by jph

(Unsolicited comment. Not a customer.)
HIPAA compliant database-as-a-service
First off, What is HIPAA?
Health Insurance Portability and Accountability Act
• HIPAA sets the standard for protecting sensitive patient data.
• Covered Entities and their Business Associates need to protect
the privacy and security of protected health information (PHI).
• Developed in 1996. HIPAA was initially created to help the public
with insurance portability. In addition, they built a series of privacy
tools to protect healthcare data.
HIPAA compliant database-as-a-service
What Does HIPAA Require?
1.Put safeguards in place to protect patient health information.
2.Reasonably limit use and sharing to the minimum necessary to
accomplish your intended purpose.
3.Have agreements in place with service providers that perform covered
functions. These agreements (BAAs) ensure that service providers
(Business Associates) use, safeguard and disclose patient information
properly.
4.Procedures to limit who can access patient health information, and
training programs about how to protect patient health information.
HIPAA compliant database-as-a-service
The Four Rules of HIPAA
Like the four horsemen, these are the major pieces that govern what you do
and how you do it.
1.HIPAA Privacy Rule
2.HIPAA Security Rule
3.HIPAA Enforcement Rule
4.HIPAA Breach Notification Rule

HIPAA compliant database-as-a-service
Developers need to focus on the Technical and Physical
safeguards outlined in the Security Rule.
The Privacy Rule
HIPAA compliant database-as-a-service
Addresses the saving, accessing and sharing of
medical and personal information of an individual,
including a patient’s own right to access.
The Security Rule
HIPAA compliant database-as-a-service
Outlines national security standards intended to
protect health data created, received, maintained,
or transmitted electronically.
The Security Rule
HIPAA compliant database-as-a-service
September 23, 2013
Before Sept 23. Rules applied to hospitals, doctors, clinics, etc. After Sept 23. The rules now apply to anyone
that touches PHI.



(e.g. an IT company or a mHealth
application that provides secure photo-
sharing for physicians).
Any company that deals with protected health information (PHI) must
ensure that all the required physical, network, and process security
measures are in place and followed.
HIPAA compliant database-as-a-service
“Do I need to be
HIPAA compliant?”
HIPAA compliant database-as-a-service
“Do I need to be
HIPAA compliant?”
If you handle PHI then you need to be HIPAA compliant.
The HIPAA rules apply to both Covered Entities
and their Business Associates
What is Protected Health
Information (PHI)?
• PHI is any information in a medical record that can be used to
identify an individual, and that was created, used, or disclosed in
the course of providing a healthcare service.
• Includes:
• Medical records
• Billing information
• Health insurance information
• Any individually identifiable health information
HIPAA compliant database-as-a-service
Electronic Protected Health
Information (EPHI)
HIPAA compliant database-as-a-service
All individually identifiable health information that
is created, maintained, or transmitted
electronically.
Covered Entity (CE)
HIPAA compliant database-as-a-service
• Anyone who provides treatment, payment and operations in
healthcare.
• Includes:
• Doctor’s office, dental offices, clinics, psychologists,
• Nursing home, pharmacy, hospital or home healthcare agency
• Health plans, insurance companies, HMOs
• Government programs that pay for healthcare
• Health clearing houses
Business Associate (BA)
HIPAA compliant database-as-a-service
• Anyone who has access to patient information, whether directly, indirectly,
physically or virtually.
• Any organization that provides support in the treatment, payment or operations
• Includes:
• IT providers, health applications
• Telephone service provider, document management and destruction
• Accountant, lawyer or other service provider
Business associates have the responsibility to achieve and maintain HIPAA
compliance in terms of all of the internal, administrative, and technical safeguards.
Exceptions
HIPAA compliant database-as-a-service
• Entities providing data transmission services, including services that
involve temporary storage of PHI that is incident to the
transmission (e.g. courier services and their electronic equivalents,
such as ISPs or telecoms).
While entities that are “mere conduits” for PHI are not Business Associates, the
rules emphasize that this exception is narrow.
HIPAA compliant database-as-a-service
“Who certifies HIPAA
compliance?”
HIPAA compliant database-as-a-service
“Who certifies HIPAA
compliance?”
The short answer is no one.
Who certifies HIPAA
compliance?
• Unlike PCI, there is no one that can “certify” that an organization is HIPAA
compliant.
• The Office for Civil Rights (OCR) from the Department of Health and Human
Services (HHS) is the federal governing body. HHS does not endorse or
recognize the “certifications” made by private organizations.
• The evaluation standard in the Security Rule § 164.308(a)(8) requires you to
perform a periodic technical and non-technical evaluation to make sure your
security policies and procedures meet security requirements.
• But, HHS doesn’t care if the evaluation is performed internally or by an external
organization.
HIPAA compliant database-as-a-service
Penalties & Fines
• Violations are expensive, to put it mildly.
HIPAA compliant database-as-a-service
HIPAA compliant database-as-a-service
“How do I become
HIPAA compliant?”
HIPAA compliant database-as-a-service
“How do I become
HIPAA compliant?”
The HIPAA Security Rule requires appropriate Administrative,
Physical, and Technical Safeguards to ensure the confidentiality,
integrity, and security of protected health information (PHI).
3 Parts to the Security Rule
1.Administrative Safeguards
2.Technical Safeguards
3.Physical Safeguards
HIPAA compliant database-as-a-service
“required” vs. “addressable”
• Some implementation specifications are “required” and others are
“addressable.” Required implementation specifications must be
implemented.
• Addressable implementation specifications must be implemented if it is
reasonable and appropriate to do so; your choice must be documented.
• It is important to remember that an addressable implementation
specification is not optional.
HIPAA compliant database-as-a-service
When in doubt, you should just implement the addressable implementation
specifications. Most of them are best practices anyway.
Administrative Safeguards
The administrative components are really important when
implementing a HIPAA compliance program; you are required to:
1.Assign a privacy officer
2.Complete a risk assessment annually
3.Implement employee training
4.Review policies and procedures
5.Execute Business Associate Agreements (BAAs) with all partners
who handle protected health information (PHI)
HIPAA compliant database-as-a-service
Administrative Safeguards
Companies who can help with the administrative components of a
compliance program:
• Accountable -- http://accountablehq.com
• Compliance Helper -- http://www.compliancehelper.com
• Compliancy Group -- http://compliancy-group.com
HIPAA compliant database-as-a-service
Technical Safeguards
1.Access Control - Unique User Identification (required): Assign a unique
name and/or number for identifying and tracking user identity.
2.Access Control - Emergency Access Procedure (required): Establish (and
implement as needed) procedures for obtaining necessary ePHI during an
emergency.
3.Access Control - Automatic Logoff (addressable): Implement electronic
procedures that terminate an electronic session after a predetermined time of
inactivity.
4.Access Control - Encryption and Decryption (addressable): Implement a
mechanism to encrypt and decrypt ePHI.
HIPAA compliant database-as-a-service
Technical Safeguards
5.Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that
record and examine activity in information systems that contain or use ePHI.
6.Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms
to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
7.Authentication (required): Implement procedures to verify that a person or entity seeking
access to ePHI is the one claimed.
8.Transmission Security - Integrity Controls (addressable): Implement security measures to
ensure that electronically transmitted ePHI is not improperly modified without detection until
disposed of.
9.Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI
whenever deemed appropriate.
HIPAA compliant database-as-a-service
Physical Safeguards
1.Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility
access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an
emergency.
2.Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the
equipment therein from unauthorized physical access, tampering, and theft.
3.Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate
a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for
testing and revision.
4.Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and
modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks).
5.Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in
which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of
workstation that can access ePHI.
HIPAA compliant database-as-a-service
HIPAA Compliant Hosting Providers can take care of some of the Physical
Safeguards for you.
Physical Safeguards
6.Workstation Security (required): Implement physical safeguards for all workstations that
access ePHI, to restrict access to authorized users.
7.Device and Media Controls - Disposal (required): Implement policies and procedures to
address the final disposition of ePHI, and/or the hardware or electronic media on which it is
stored.
8.Device and Media Controls - Media Re-Use (required): Implement procedures for removal of
ePHI from electronic media before the media are made available for re-use.
9.Device and Media Controls - Accountability (addressable): Maintain a record of the
movements of hardware and electronic media and any person responsible therefore.
10.Device and Media Controls - Data Backup and Storage (addressable): Create a
retrievable, exact copy of ePHI, when needed, before movement of equipment.
HIPAA compliant database-as-a-service
TrueVault Handles All
Technical Requirements
HIPAA compliant database-as-a-service
Administrative Safeguards
Technical Safeguards
Encryption and Decryption, Key Management,
Key Rotation, Access Control, Unique User
Identification, Emergency Access, Automatic
Logoff, Audit Controls, Mechanism to
Authenticate Electronic PHI, Person or Entity
Authentication, Transmission Security, Integrity
Controls
Physical Safeguards
Facility Access Ctrl, Workstation Use and
Security, Devices and Media Controls
HIPAA Compliant
Hosting
TrueVault
• TrueVault handles both
Technical and Physical
Safeguards.
!
• Develop a healthcare
application without building a
HIPAA compliant infrastructure.
!
• FireHost and AWS have high
minimum charges ($1,115 and
$1,500) and offer no help with
the Technical Safeguards.
How Does TrueVault Fit In?
HIPAA compliant database-as-a-service
!
• Developers access TrueVault
via a RESTful API and native
clients.
!
• Typical integration takes days.
TrueVault works just like any
other API services.
!
• TrueVault provides all client-
side and server-side
functionalities required by
HIPAA.
Customer)Backend)Web)
Services))
Standard)Database)
TrueVault)
(HIPAA)Compliant))
non@PHI)Data)
PHI)Data)
(REST)API))
TrueVault Features
HIPAA compliant database-as-a-service
JSON Store
The TrueVault JSON Store is a lightweight, document-oriented
storage system, and enables persistent HIPAA compliant storage of
JSON documents.
BLOB Store
The TrueVault BLOB (binary large object) Store offers HIPAA compliant
binary storage for any file format. This includes DICOM files (e.g. X-Rays,
CT Scans, MRIs), PDFs, scanned medical records, images, and videos.
Encrypted Search
Search encrypted data stored in TrueVault. Query (GET) documents
by any field, not just the documentId.
TrueVault Features
HIPAA compliant database-as-a-service
Browser-to-TrueVault Upload
Browser-to-TrueVault direct file upload and download web form. You
can upload binary files directly to TrueVault’s BLOB Store using
HTML forms.
User Management and Authentication
User Management console. You can create and manage users, groups,
and permissions via TrueVault so that PHI never touches your stack.
TrueVault provides identity and access management, plus 2-factor
authentication out of the box. Use our identity API for custom access
flows or add Sign-In, Sign-Up, and My Account pages in seconds with
our JavaScript user controls.
Encryption and Decryption
TrueVault encrypts all at-rest data with AES-256 and stores keys
securely. Our infrastructure for healthcare data storage and
transmission runs in a separate hosting environment inaccessible by
our primary services.
TrueVault Features
HIPAA compliant database-as-a-service
Audit Control
Every user action and API call is automatically recorded for
compliance. An audit log can be searched and retrieved via our API.
Automatic Logoff
Configure the automatic user session timeout window via our API or the
Management Console.
Emergency Access
Easily add an Emergency Access Request page to your app with a
CNAME record. We’ll handle the authentication flow for you, and
track activities for compliance. Single-user credentials can also be
created via the API for custom emergency workflows.
TrueVault Features
HIPAA compliant database-as-a-service
Proactive Monitoring
TrueVault’s proprietary anomaly-based detection algorithm will alert
you, or your customer, when abnormal user activity is detected.
At-Rest Data Integrity
A checksum is computed for every at-rest record, and the integrity of
the data is continuously checked.
Integrity Control and Encryption
TrueVault regularly audits the details of our implementation: the
certificates we serve, our certificate authorities, and our ciphers. We
ensure that browsers and API clients interact with TrueVault over
HTTPS only.
HIPAA compliant database-as-a-service
"Becoming HIPAA compliant as an early stage organization was a
daunting task, until we found TrueVault! Their turn-key API has
allowed us to check this box and get back to focusing on our core
product and offering."
Edith Elliott

CEO Noora Health
Try TrueVault for Free
HIPAA compliant database-as-a-service
$0.001 / API call / monthFree for Development
• No credit card required.
• No time limit on the free trial period.
• Unlimited API calls and storage.
• But, no BAA and no insurance.
API Calls Monthly Cost

0 -100,000 $100
101,000 $101
250,000 $250
1,000,000 $1,000
• Unlimited JSON documents
• Unlimited BLOB objects
• Business Associated Agreement
• Privacy/Data Breach Insurance
• Service Level Agreement
Get Started

Contenu connexe

Tendances

APPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIAN
APPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIANAPPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIAN
APPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIANKartika Mahajan
 
Bahmni - Open Source EHR System (By Ranjan Sakalley)
Bahmni - Open Source EHR System (By Ranjan Sakalley)Bahmni - Open Source EHR System (By Ranjan Sakalley)
Bahmni - Open Source EHR System (By Ranjan Sakalley)Bahmni
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Application of rfid technology in libraries
Application of rfid technology in librariesApplication of rfid technology in libraries
Application of rfid technology in librariesShivashish Verma
 
Resumo ISO 27002 para Concurso
Resumo ISO 27002 para ConcursoResumo ISO 27002 para Concurso
Resumo ISO 27002 para Concursoluanrjesus
 
HL7 New Zealand: FHIR for developers
HL7 New Zealand: FHIR for developersHL7 New Zealand: FHIR for developers
HL7 New Zealand: FHIR for developersDavid Hay
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security PresentationRebecca Norman
 
Enterprise resource planning erp
Enterprise resource planning  erpEnterprise resource planning  erp
Enterprise resource planning erpgourav kottawar
 
HIPAA: security risk analysis
HIPAA: security risk analysisHIPAA: security risk analysis
HIPAA: security risk analysisJoAnna Cheshire
 
EMC ECD Documentum D2
EMC ECD Documentum D2EMC ECD Documentum D2
EMC ECD Documentum D2mister_moun
 
Evaluation of Digital Library
Evaluation of Digital LibraryEvaluation of Digital Library
Evaluation of Digital Libraryflorence tamid-ay
 
Preparation, Proceed and Review of preservation of Digital Library
Preparation, Proceed and Review of preservation of Digital Library Preparation, Proceed and Review of preservation of Digital Library
Preparation, Proceed and Review of preservation of Digital Library Asheesh Kamal
 

Tendances (20)

APPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIAN
APPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIANAPPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIAN
APPLICATION OF RFID TECHNOLOGY IN LIBRARIES AND ROLE OF LIBRARIAN
 
Bahmni - Open Source EHR System (By Ranjan Sakalley)
Bahmni - Open Source EHR System (By Ranjan Sakalley)Bahmni - Open Source EHR System (By Ranjan Sakalley)
Bahmni - Open Source EHR System (By Ranjan Sakalley)
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
Application of rfid technology in libraries
Application of rfid technology in librariesApplication of rfid technology in libraries
Application of rfid technology in libraries
 
RFID ppt2.pptx
RFID ppt2.pptxRFID ppt2.pptx
RFID ppt2.pptx
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian Fleetham
 
Resumo ISO 27002 para Concurso
Resumo ISO 27002 para ConcursoResumo ISO 27002 para Concurso
Resumo ISO 27002 para Concurso
 
HL7 New Zealand: FHIR for developers
HL7 New Zealand: FHIR for developersHL7 New Zealand: FHIR for developers
HL7 New Zealand: FHIR for developers
 
HIPPA Security Presentation
HIPPA Security PresentationHIPPA Security Presentation
HIPPA Security Presentation
 
Hipaa for business associates simple
Hipaa for business associates   simpleHipaa for business associates   simple
Hipaa for business associates simple
 
Enterprise resource planning erp
Enterprise resource planning  erpEnterprise resource planning  erp
Enterprise resource planning erp
 
HIPAA: security risk analysis
HIPAA: security risk analysisHIPAA: security risk analysis
HIPAA: security risk analysis
 
RFID AND LIBRARIES
RFID AND LIBRARIESRFID AND LIBRARIES
RFID AND LIBRARIES
 
EMC ECD Documentum D2
EMC ECD Documentum D2EMC ECD Documentum D2
EMC ECD Documentum D2
 
The hospital of the future
The hospital of the futureThe hospital of the future
The hospital of the future
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ?
 
Evaluation of Digital Library
Evaluation of Digital LibraryEvaluation of Digital Library
Evaluation of Digital Library
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Preparation, Proceed and Review of preservation of Digital Library
Preparation, Proceed and Review of preservation of Digital Library Preparation, Proceed and Review of preservation of Digital Library
Preparation, Proceed and Review of preservation of Digital Library
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 

Similaire à HIPAA Compliance for Developers

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMBMeHealthCareSolutions
 
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and trainingLaDavia Day, MHA, BS
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesCMDLMS
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...Ajeet Singh
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations OnRamp
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
Web Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance CertificationWeb Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance CertificationWeb Werks Data Centers
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin, Inc.
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 

Similaire à HIPAA Compliance for Developers (20)

Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk AssessmentMbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
 
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason WangHxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason Wang
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slidesComp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
HIPAA Compliant Salesforce Health Cloud – Why Healthcare Organizations Must C...
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
Web Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance CertificationWeb Werks Data Center Achieves HIPAA Compliance Certification
Web Werks Data Center Achieves HIPAA Compliance Certification
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
HIPAA
HIPAAHIPAA
HIPAA
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 

Dernier

Artificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, BenefitsArtificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, BenefitsIris Thiele Isip-Tan
 
Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)bishwabandhuniraula
 
Presentation on COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSING
Presentation on  COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSINGPresentation on  COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSING
Presentation on COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSINGKREDASONBANGALORE
 
TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...
TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...
TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...mwangimwangi222
 
Diseases of the Respiratory System (J00-J99),.pptx
Diseases of the Respiratory System (J00-J99),.pptxDiseases of the Respiratory System (J00-J99),.pptx
Diseases of the Respiratory System (J00-J99),.pptxEMADABATHINI PRABHU TEJA
 
Experience the Power of Chiropractic in Maui
Experience the Power of Chiropractic in MauiExperience the Power of Chiropractic in Maui
Experience the Power of Chiropractic in MauiCentral Maui Chiropractic
 
Empathy Is a Stress Response - Choose Compassion instead
Empathy Is a Stress Response - Choose Compassion insteadEmpathy Is a Stress Response - Choose Compassion instead
Empathy Is a Stress Response - Choose Compassion insteadAlex Clapson
 
LARYNGEAL CANCER.pptx Prepared by Neha Kewat
LARYNGEAL CANCER.pptx  Prepared by Neha KewatLARYNGEAL CANCER.pptx  Prepared by Neha Kewat
LARYNGEAL CANCER.pptx Prepared by Neha KewatNehaKewat
 
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHYCECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHYRMC
 
Eating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports PsychologyEating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports Psychologyshantisphysio
 
Hematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of HematinicsHematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of Hematinicsnetraangadi2
 
Health literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptxHealth literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptxPamela McKinney
 
Calibration and Calibration Curve. lecture notes
Calibration and Calibration Curve. lecture notesCalibration and Calibration Curve. lecture notes
Calibration and Calibration Curve. lecture notesWani Insha
 
LEUKODYSTROPHY FINAL.pptx sms medical jaipur
LEUKODYSTROPHY FINAL.pptx sms medical jaipurLEUKODYSTROPHY FINAL.pptx sms medical jaipur
LEUKODYSTROPHY FINAL.pptx sms medical jaipurdineshdandia
 
Blood(The Applied Physiology) for Nurses.pptx
Blood(The Applied Physiology) for Nurses.pptxBlood(The Applied Physiology) for Nurses.pptx
Blood(The Applied Physiology) for Nurses.pptxNagamani Manjunath
 
Anatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdf
Anatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdfAnatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdf
Anatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdfhezamzaki1
 
FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES 11
FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES  11FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES  11
FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES 11crzljavier
 
ARTHRITIS.pptx Prepared by monika gopal Tutor
ARTHRITIS.pptx Prepared  by monika gopal TutorARTHRITIS.pptx Prepared  by monika gopal Tutor
ARTHRITIS.pptx Prepared by monika gopal TutorNehaKewat
 
21 NEMT Trends & Statistics to Know in 2024
21 NEMT Trends & Statistics to Know in 202421 NEMT Trends & Statistics to Know in 2024
21 NEMT Trends & Statistics to Know in 2024Traumasoft LLC
 

Dernier (20)

Artificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, BenefitsArtificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, Benefits
 
Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)
 
Presentation on COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSING
Presentation on  COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSINGPresentation on  COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSING
Presentation on COUNSELING. 1ST YEAR GNM ,COMMUNITY HEALTH NURSING
 
TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...
TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...
TEST BANK For Neonatal and Pediatric Respiratory Care, 6th Edition by Brian K...
 
Diseases of the Respiratory System (J00-J99),.pptx
Diseases of the Respiratory System (J00-J99),.pptxDiseases of the Respiratory System (J00-J99),.pptx
Diseases of the Respiratory System (J00-J99),.pptx
 
Experience the Power of Chiropractic in Maui
Experience the Power of Chiropractic in MauiExperience the Power of Chiropractic in Maui
Experience the Power of Chiropractic in Maui
 
Empathy Is a Stress Response - Choose Compassion instead
Empathy Is a Stress Response - Choose Compassion insteadEmpathy Is a Stress Response - Choose Compassion instead
Empathy Is a Stress Response - Choose Compassion instead
 
LARYNGEAL CANCER.pptx Prepared by Neha Kewat
LARYNGEAL CANCER.pptx  Prepared by Neha KewatLARYNGEAL CANCER.pptx  Prepared by Neha Kewat
LARYNGEAL CANCER.pptx Prepared by Neha Kewat
 
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHYCECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
 
Eating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports PsychologyEating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports Psychology
 
Hematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of HematinicsHematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of Hematinics
 
Health literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptxHealth literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptx
 
Calibration and Calibration Curve. lecture notes
Calibration and Calibration Curve. lecture notesCalibration and Calibration Curve. lecture notes
Calibration and Calibration Curve. lecture notes
 
LEUKODYSTROPHY FINAL.pptx sms medical jaipur
LEUKODYSTROPHY FINAL.pptx sms medical jaipurLEUKODYSTROPHY FINAL.pptx sms medical jaipur
LEUKODYSTROPHY FINAL.pptx sms medical jaipur
 
Blood(The Applied Physiology) for Nurses.pptx
Blood(The Applied Physiology) for Nurses.pptxBlood(The Applied Physiology) for Nurses.pptx
Blood(The Applied Physiology) for Nurses.pptx
 
Anatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdf
Anatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdfAnatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdf
Anatomy Shelf Notevbhhhhhhhhhhhhhhhs.pdf
 
The Power of Active listening - Tool in effective communication.pdf
The Power of Active listening - Tool in effective communication.pdfThe Power of Active listening - Tool in effective communication.pdf
The Power of Active listening - Tool in effective communication.pdf
 
FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES 11
FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES  11FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES  11
FINAL PROJECT IN EMPOWERMENT TECHNOLOGIES 11
 
ARTHRITIS.pptx Prepared by monika gopal Tutor
ARTHRITIS.pptx Prepared  by monika gopal TutorARTHRITIS.pptx Prepared  by monika gopal Tutor
ARTHRITIS.pptx Prepared by monika gopal Tutor
 
21 NEMT Trends & Statistics to Know in 2024
21 NEMT Trends & Statistics to Know in 202421 NEMT Trends & Statistics to Know in 2024
21 NEMT Trends & Statistics to Know in 2024
 

HIPAA Compliance for Developers

  • 1. HIPAA Compliance for Developers Breaking down the regulatory issues around building digital health apps for fun and profit. HIPAA compliant database-as-a-service
  • 2. HIPAA Compliance is a 
 Brutal Time Suck! ! “[Building our own HIPAA compliant infrastructure] took upwards of 1,000 person-hours to figure out HIPAA-compliance issues. This will continue to be an ongoing cost for us, because HIPAA is an ongoing law and it changes sometimes. It takes substantial auditing time and money. TrueVault would save us all that.” 
 Posted on Hacker News by jph
 (Unsolicited comment. Not a customer.) HIPAA compliant database-as-a-service
  • 3. First off, What is HIPAA? Health Insurance Portability and Accountability Act • HIPAA sets the standard for protecting sensitive patient data. • Covered Entities and their Business Associates need to protect the privacy and security of protected health information (PHI). • Developed in 1996. HIPAA was initially created to help the public with insurance portability. In addition, they built a series of privacy tools to protect healthcare data. HIPAA compliant database-as-a-service
  • 4. What Does HIPAA Require? 1.Put safeguards in place to protect patient health information. 2.Reasonably limit use and sharing to the minimum necessary to accomplish your intended purpose. 3.Have agreements in place with service providers that perform covered functions. These agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly. 4.Procedures to limit who can access patient health information, and training programs about how to protect patient health information. HIPAA compliant database-as-a-service
  • 5. The Four Rules of HIPAA Like the four horsemen, these are the major pieces that govern what you do and how you do it. 1.HIPAA Privacy Rule 2.HIPAA Security Rule 3.HIPAA Enforcement Rule 4.HIPAA Breach Notification Rule
 HIPAA compliant database-as-a-service Developers need to focus on the Technical and Physical safeguards outlined in the Security Rule.
  • 6. The Privacy Rule HIPAA compliant database-as-a-service Addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access.
  • 7. The Security Rule HIPAA compliant database-as-a-service Outlines national security standards intended to protect health data created, received, maintained, or transmitted electronically.
  • 8. The Security Rule HIPAA compliant database-as-a-service September 23, 2013 Before Sept 23. Rules applied to hospitals, doctors, clinics, etc. After Sept 23. The rules now apply to anyone that touches PHI.
 
 (e.g. an IT company or a mHealth application that provides secure photo- sharing for physicians). Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
  • 9. HIPAA compliant database-as-a-service “Do I need to be HIPAA compliant?”
  • 10. HIPAA compliant database-as-a-service “Do I need to be HIPAA compliant?” If you handle PHI then you need to be HIPAA compliant. The HIPAA rules apply to both Covered Entities and their Business Associates
  • 11. What is Protected Health Information (PHI)? • PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a healthcare service. • Includes: • Medical records • Billing information • Health insurance information • Any individually identifiable health information HIPAA compliant database-as-a-service
  • 12. Electronic Protected Health Information (EPHI) HIPAA compliant database-as-a-service All individually identifiable health information that is created, maintained, or transmitted electronically.
  • 13. Covered Entity (CE) HIPAA compliant database-as-a-service • Anyone who provides treatment, payment and operations in healthcare. • Includes: • Doctor’s office, dental offices, clinics, psychologists, • Nursing home, pharmacy, hospital or home healthcare agency • Health plans, insurance companies, HMOs • Government programs that pay for healthcare • Health clearing houses
  • 14. Business Associate (BA) HIPAA compliant database-as-a-service • Anyone who has access to patient information, whether directly, indirectly, physically or virtually. • Any organization that provides support in the treatment, payment or operations • Includes: • IT providers, health applications • Telephone service provider, document management and destruction • Accountant, lawyer or other service provider Business associates have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative, and technical safeguards.
  • 15. Exceptions HIPAA compliant database-as-a-service • Entities providing data transmission services, including services that involve temporary storage of PHI that is incident to the transmission (e.g. courier services and their electronic equivalents, such as ISPs or telecoms). While entities that are “mere conduits” for PHI are not Business Associates, the rules emphasize that this exception is narrow.
  • 16. HIPAA compliant database-as-a-service “Who certifies HIPAA compliance?”
  • 17. HIPAA compliant database-as-a-service “Who certifies HIPAA compliance?” The short answer is no one.
  • 18. Who certifies HIPAA compliance? • Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. • The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body. HHS does not endorse or recognize the “certifications” made by private organizations. • The evaluation standard in the Security Rule § 164.308(a)(8) requires you to perform a periodic technical and non-technical evaluation to make sure your security policies and procedures meet security requirements. • But, HHS doesn’t care if the evaluation is performed internally or by an external organization. HIPAA compliant database-as-a-service
  • 19. Penalties & Fines • Violations are expensive, to put it mildly. HIPAA compliant database-as-a-service
  • 20. HIPAA compliant database-as-a-service “How do I become HIPAA compliant?”
  • 21. HIPAA compliant database-as-a-service “How do I become HIPAA compliant?” The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).
  • 22. 3 Parts to the Security Rule 1.Administrative Safeguards 2.Technical Safeguards 3.Physical Safeguards HIPAA compliant database-as-a-service
  • 23. “required” vs. “addressable” • Some implementation specifications are “required” and others are “addressable.” Required implementation specifications must be implemented. • Addressable implementation specifications must be implemented if it is reasonable and appropriate to do so; your choice must be documented. • It is important to remember that an addressable implementation specification is not optional. HIPAA compliant database-as-a-service When in doubt, you should just implement the addressable implementation specifications. Most of them are best practices anyway.
  • 24. Administrative Safeguards The administrative components are really important when implementing a HIPAA compliance program; you are required to: 1.Assign a privacy officer 2.Complete a risk assessment annually 3.Implement employee training 4.Review policies and procedures 5.Execute Business Associate Agreements (BAAs) with all partners who handle protected health information (PHI) HIPAA compliant database-as-a-service
  • 25. Administrative Safeguards Companies who can help with the administrative components of a compliance program: • Accountable -- http://accountablehq.com • Compliance Helper -- http://www.compliancehelper.com • Compliancy Group -- http://compliancy-group.com HIPAA compliant database-as-a-service
  • 26. Technical Safeguards 1.Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity. 2.Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. 3.Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. 4.Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI. HIPAA compliant database-as-a-service
  • 27. Technical Safeguards 5.Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. 6.Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. 7.Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. 8.Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. 9.Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate. HIPAA compliant database-as-a-service
  • 28. Physical Safeguards 1.Facility Access Controls - Contingency Operations (addressable): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. 2.Facility Access Controls - Facility Security Plan (addressable): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. 3.Facility Access Controls - Access Control and Validation Procedures (addressable): Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. 4.Facility Access Controls - Maintenance Records (addressable): Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks). 5.Workstation Use (required): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. HIPAA compliant database-as-a-service HIPAA Compliant Hosting Providers can take care of some of the Physical Safeguards for you.
  • 29. Physical Safeguards 6.Workstation Security (required): Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. 7.Device and Media Controls - Disposal (required): Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. 8.Device and Media Controls - Media Re-Use (required): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. 9.Device and Media Controls - Accountability (addressable): Maintain a record of the movements of hardware and electronic media and any person responsible therefore. 10.Device and Media Controls - Data Backup and Storage (addressable): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment. HIPAA compliant database-as-a-service
  • 30. TrueVault Handles All Technical Requirements HIPAA compliant database-as-a-service Administrative Safeguards Technical Safeguards Encryption and Decryption, Key Management, Key Rotation, Access Control, Unique User Identification, Emergency Access, Automatic Logoff, Audit Controls, Mechanism to Authenticate Electronic PHI, Person or Entity Authentication, Transmission Security, Integrity Controls Physical Safeguards Facility Access Ctrl, Workstation Use and Security, Devices and Media Controls HIPAA Compliant Hosting TrueVault • TrueVault handles both Technical and Physical Safeguards. ! • Develop a healthcare application without building a HIPAA compliant infrastructure. ! • FireHost and AWS have high minimum charges ($1,115 and $1,500) and offer no help with the Technical Safeguards.
  • 31. How Does TrueVault Fit In? HIPAA compliant database-as-a-service ! • Developers access TrueVault via a RESTful API and native clients. ! • Typical integration takes days. TrueVault works just like any other API services. ! • TrueVault provides all client- side and server-side functionalities required by HIPAA. Customer)Backend)Web) Services)) Standard)Database) TrueVault) (HIPAA)Compliant)) non@PHI)Data) PHI)Data) (REST)API))
  • 32. TrueVault Features HIPAA compliant database-as-a-service JSON Store The TrueVault JSON Store is a lightweight, document-oriented storage system, and enables persistent HIPAA compliant storage of JSON documents. BLOB Store The TrueVault BLOB (binary large object) Store offers HIPAA compliant binary storage for any file format. This includes DICOM files (e.g. X-Rays, CT Scans, MRIs), PDFs, scanned medical records, images, and videos. Encrypted Search Search encrypted data stored in TrueVault. Query (GET) documents by any field, not just the documentId.
  • 33. TrueVault Features HIPAA compliant database-as-a-service Browser-to-TrueVault Upload Browser-to-TrueVault direct file upload and download web form. You can upload binary files directly to TrueVault’s BLOB Store using HTML forms. User Management and Authentication User Management console. You can create and manage users, groups, and permissions via TrueVault so that PHI never touches your stack. TrueVault provides identity and access management, plus 2-factor authentication out of the box. Use our identity API for custom access flows or add Sign-In, Sign-Up, and My Account pages in seconds with our JavaScript user controls. Encryption and Decryption TrueVault encrypts all at-rest data with AES-256 and stores keys securely. Our infrastructure for healthcare data storage and transmission runs in a separate hosting environment inaccessible by our primary services.
  • 34. TrueVault Features HIPAA compliant database-as-a-service Audit Control Every user action and API call is automatically recorded for compliance. An audit log can be searched and retrieved via our API. Automatic Logoff Configure the automatic user session timeout window via our API or the Management Console. Emergency Access Easily add an Emergency Access Request page to your app with a CNAME record. We’ll handle the authentication flow for you, and track activities for compliance. Single-user credentials can also be created via the API for custom emergency workflows.
  • 35. TrueVault Features HIPAA compliant database-as-a-service Proactive Monitoring TrueVault’s proprietary anomaly-based detection algorithm will alert you, or your customer, when abnormal user activity is detected. At-Rest Data Integrity A checksum is computed for every at-rest record, and the integrity of the data is continuously checked. Integrity Control and Encryption TrueVault regularly audits the details of our implementation: the certificates we serve, our certificate authorities, and our ciphers. We ensure that browsers and API clients interact with TrueVault over HTTPS only.
  • 36. HIPAA compliant database-as-a-service "Becoming HIPAA compliant as an early stage organization was a daunting task, until we found TrueVault! Their turn-key API has allowed us to check this box and get back to focusing on our core product and offering." Edith Elliott
 CEO Noora Health
  • 37. Try TrueVault for Free HIPAA compliant database-as-a-service $0.001 / API call / monthFree for Development • No credit card required. • No time limit on the free trial period. • Unlimited API calls and storage. • But, no BAA and no insurance. API Calls Monthly Cost 
0 -100,000 $100 101,000 $101 250,000 $250 1,000,000 $1,000 • Unlimited JSON documents • Unlimited BLOB objects • Business Associated Agreement • Privacy/Data Breach Insurance • Service Level Agreement Get Started