HIPAA

Get Started. It's Free
or sign up with your email address
Rocket clouds
HIPAA by Mind Map: HIPAA

1. https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html

2. Rules

2.1. Security

2.1.1. Technical

2.1.1.1. Access Control

2.1.1.1.1. Unique User Identities

2.1.1.1.2. Emergency Access Procedure

2.1.1.1.3. Encryption/Decryption

2.1.1.1.4. Audit Controls

2.1.1.1.5. Authentication (that phi is not altered or destroyed)

2.1.1.1.6. Transmission

2.1.1.2. Audit Control

2.1.1.3. Integrity

2.1.1.4. Authentication

2.1.1.5. Transmition

2.1.2. Physical

2.1.2.1. Contingency Operations (emergency recovery)

2.1.2.2. equipment security

2.1.2.3. individual's access

2.1.2.4. Maintenance records

2.1.2.5. Workstation Use?

2.1.2.6. Workstation Security

2.1.2.7. Data and equipment disposal

2.1.2.8. Equipment reuse

2.1.2.9. Equipment accountability

2.1.2.10. Backup and storage

2.1.3. Administrative

2.1.3.1. Preform Risk Analysis

2.1.3.2. Implement risk managment

2.1.3.3. Establish sanctions for non-compliance

2.1.3.4. Regularly review logs and audit trails

2.1.3.5. Designate HIPAA security officers

2.1.3.6. Employee oversight procedures

2.1.3.6.1. ability to grant/revoke PHI access

2.1.3.6.2. ensure unauthorized subcontractors don't have phi access

2.1.3.7. document access grants

2.1.3.8. periodic security reminders

2.1.3.9. Guard/Detection/Reporting malware procedures

2.1.3.10. login monitoring and discrepancy reporting

2.1.3.11. password management procedures

2.1.3.12. document any security incidents

2.1.3.13. contingency plan for restoring backups

2.1.3.13.1. periodic testing and analysis of contingency plans

2.1.3.14. emergency mode procedure

2.1.3.15. agreements to ensure compliance from business partners

2.2. Privacy

2.2.1. provide breach notification

2.2.2. provide access to users to own phi

2.2.2.1. (training program)

2.2.3. procedure for disclosing to secretary of HHS

2.2.4. provide accounting of disclousures

2.3. Enforcement

2.4. Breach Notification

2.4.1. notify patients of breach

2.4.2. notify HHS if breach of unsecured phi

2.4.3. notify media and public if > 500 patients affected

3. Addressable vs Required

3.1. http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html

4. PHI

4.1. Individually Identifiable Health Info

4.1.1. Health Information

4.1.1.1. created or received by

4.1.1.1.1. health care provider

4.1.1.1.2. public health authority

4.1.1.1.3. empoyer

4.1.1.1.4. life insurer

4.1.1.1.5. school or university

4.1.1.2. relates to past/present/future physical or mental health of

4.1.1.2.1. identifable individual

4.1.1.2.2. care provided to individual

4.1.1.2.3. payment for care

4.1.2. transmitted or maintained

5. AWS

5.1. full admin control of servers

5.2. sysadmins use RSA keypairs and uids to access

5.3. firewall solutionss on ec2

5.4. amazon employees have no access to ec2 instances

5.5. supports ssh key authentication for access control

5.6. audit

5.6.1. access audit trail up to us

5.6.2. has access to activity? logs

5.6.3. ec2 tracks ip traffic

5.6.4. up to us to back this up

5.7. availability and backups

5.7.1. up to us to set up snapshots

5.7.2. s3 provides some backup utilities

5.7.3. one of the more expensive bits

5.7.4. s3 does automatic backups (of what?)

5.8. http://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf

6. Jonathan

6.1. can script auto backups

6.2. manual recovery

6.3. $700/mo is our HIPAA fee

7. Nich

7.1. auditing is just revision# in db

7.2. disable SSL fallback

8. Tyler

8.1. Sql data capture

8.1.1. not actually capturing properly

8.1.2. creates audits of select queries

8.1.3. each application user gets a sql server user

8.1.3.1. Active Directory

9. Stephen M

9.1. EF with log table

10. Mike N

10.1. data audit trail

10.1.1. doesn't have to be easy

10.1.2. who changed what when