What's HIPAA & How Do We Implement It

Gaurav Porwal

ADOE, Geekyants

@gauravprwl14

👋🏼 Hi, I'm Gaurav

  • Associate Director of Engineering at GeekyAnts
  • Tech Enthusiast
  • Love building products using cutting-edge technology

What is HIPAA?

Health Insurance Portability

&

Accountability Act

HIPAA Stand's for

HIPAA Basics Definition

  • HIPAA is a federal law that establishes data privacy and security requirements for organizations

 

  • Protects confidentiality and security of health data by enforcing standards

 

  • Improves efficiency in health care delivery by standardizing electronic data interchange

In Simple Terms

HIPAA Standards Includes

  • Encrypt Everything
  • Respecting user privacy
  • Log all the PHI data
  • Have change control processes
  • Store audit data
  • Authorization data access
  • Implementing password policies
  • Enforcing Encrypted data backups
  • Have a Disaster Recovery plan in place

In Simple Terms

HIPAA Goal

HIPAA has 2 Primary Purpose

  1. Secure personal health information

  2. Establish standards for the electronic transmission of health information

HIPAA Effect

HIPAA Effect

  • Changed the way hospitals are allowed to release information
  • Enhanced the electronic and physical security of personal and health information
  • Helped in reducing healthcare fraud and abuse
  • Simplifies billing and other transactions

In short

Protected Health Information (PHI)

Protected Health Information (PHI)

  • PHI is any information in a medical record of an individual
  • This information can be created, used, or disclosed in the course of providing a healthcare service
  • If Information is stored digitally then it is called as ePHI
  • Few PHI Example
    • An MRI scan
    • Blood test results
    • Billing information from your doctor
    • Appointment scheduling note
    • Number of calories burned
    • Number of steps in a pedometer

 

HIPAA Pillars

HIPAA Pillars

HIPAA

Privacy Rule

HIPAA Pillars

HIPAA

Privacy Rule

Security Rule

HIPAA Pillars

HIPAA

Privacy Rule

Security Rule

Enforcement Rule

HIPAA Pillars

HIPAA

Privacy Rule

Security Rule

Breach Notification Rule

Enforcement Rule

Different Types Of Medical Portals

Different Types Of Medical Portals

  • Simple hospital or doctor websites
  • Patient Portal or online pharmacy
  • Treatment or therapy application
  • mobile health apps
  • so on ...

HIPAA Development Tier I

  • non-HIPAA portal / static website
  • Eg: Hospital website

HIPAA Development Tier I

  • non-HIPAA portal / static website
  • Eg: Hospital website
  • Data includes submitting HIPAA complaints onboarding form

HIPAA Development Tier I

  • non-HIPAA portal / static website
  • Eg: Hospital website
  • Data includes submitting HIPAA complaints onboarding form
  • Adding SSL Certificates to the website
  • Encrypted "data in transit"

HIPAA Development Tier I

  • non-HIPAA portal / static website
  • Eg: Hospital website
  • Data includes submitting HIPAA complaints onboarding form
  • Adding SSL Certificates to the website
  • Encrypted "data in transit"
  • HIPAA Compliant mailbox
  • Not storing the pH data on the site/server 

HIPAA Development Tier II

  • Web apps that store pHI data
  • Eg: online pharmacies or treatment portals
  • Adding SSL Certificates to the website

HIPAA Development Tier II

  • Web apps that store pHI data
  • Eg: online pharmacies or treatment portals
  • Adding SSL Certificates to the website
  • HIPAA-compliant hosting environment. Eg: Aws
  • Encrypted databases
  • Encrypted file store

HIPAA Development Tier III

  • Web app that store and edit PHI data
  • Eg: online telemedicine web or mobile apps

HIPAA Development Tier III

  • Web app that store and edit PHI data
  • Eg: online telemedicine web or mobile apps
  • Adding SSL Certificates to the website
  • HIPAA-compliant hosting Environment
  • Encrypted databases
  • Encrypted file store

HIPAA Development Tier III

  • Web app that store and edit PHI data
  • Eg: online telemedicine web or mobile apps
  • Adding SSL Certificates to the website
  • HIPAA-compliant hosting Environment
  • Encrypted databases
  • Encrypted file store
  • Encrypted user-level logging
  • Authorization checks
  • Disaster Recovery setup

Application Architecture checklist

Application Architecture checklist

  • Access Control Safeguards
    • Assigning unique UUID
    • encrypting database fields
    • Role-based data access

Application Architecture checklist

users:{
user_id:{
    profile:{
        address: "blank street",
        name: "John Smith"
    },
    records:{
        record_id:{ 
            date:"some date"
            doctor: "Jane Dohne"
            other:"fields"
        }
    }
}

Security Rule

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid"
      }
    }
  }
}

Application Architecture checklist

 

  • Security check
    • Using Two-Factor Authentication (2FA)
    • Using the Lock Screen
    • Enabling Remote Wiping of Lost Phones

Application Architecture checklist

 

  • Hosting Environment
    • Fully managed Firewall or transit gateway
    • Using VPN to enable private subnets deployment
    • Encrypted Databases
    • Encrypted file Storage.
    • Building and maintaining a secure deployment pipeline
    • Using Secure Key Vault Services

Application Architecture checklist

  • Disaster Recovery
    • Monitoring and alert logging
    • Provide forensic-level logging
    • Encrypted Data Backup
    • Monitoring file changes using an Intrusion Prevention Service
    • Push notification

AWS HIPAA Eligible Services

Reference Links

Thank you

HIPAA Compliance Original

By gaurav porwal

HIPAA Compliance Original

  • 98