Jetzt loslegen. Gratis!
oder registrieren mit Ihrer E-Mail-Adresse
HIPAA von Mind Map: HIPAA

1. https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html

2. Rules

2.1. Security

2.1.1. Technical Access Control Unique User Identities Emergency Access Procedure Encryption/Decryption Audit Controls Authentication (that phi is not altered or destroyed) Transmission Audit Control Integrity Authentication Transmition

2.1.2. Physical Contingency Operations (emergency recovery) equipment security individual's access Maintenance records Workstation Use? Workstation Security Data and equipment disposal Equipment reuse Equipment accountability Backup and storage

2.1.3. Administrative Preform Risk Analysis Implement risk managment Establish sanctions for non-compliance Regularly review logs and audit trails Designate HIPAA security officers Employee oversight procedures ability to grant/revoke PHI access ensure unauthorized subcontractors don't have phi access document access grants periodic security reminders Guard/Detection/Reporting malware procedures login monitoring and discrepancy reporting password management procedures document any security incidents contingency plan for restoring backups periodic testing and analysis of contingency plans emergency mode procedure agreements to ensure compliance from business partners

2.2. Privacy

2.2.1. provide breach notification

2.2.2. provide access to users to own phi (training program)

2.2.3. procedure for disclosing to secretary of HHS

2.2.4. provide accounting of disclousures

2.3. Enforcement

2.4. Breach Notification

2.4.1. notify patients of breach

2.4.2. notify HHS if breach of unsecured phi

2.4.3. notify media and public if > 500 patients affected

3. Addressable vs Required

3.1. http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html

4. PHI

4.1. Individually Identifiable Health Info

4.1.1. Health Information created or received by health care provider public health authority empoyer life insurer school or university relates to past/present/future physical or mental health of identifable individual care provided to individual payment for care

4.1.2. transmitted or maintained

5. AWS

5.1. full admin control of servers

5.2. sysadmins use RSA keypairs and uids to access

5.3. firewall solutionss on ec2

5.4. amazon employees have no access to ec2 instances

5.5. supports ssh key authentication for access control

5.6. audit

5.6.1. access audit trail up to us

5.6.2. has access to activity? logs

5.6.3. ec2 tracks ip traffic

5.6.4. up to us to back this up

5.7. availability and backups

5.7.1. up to us to set up snapshots

5.7.2. s3 provides some backup utilities

5.7.3. one of the more expensive bits

5.7.4. s3 does automatic backups (of what?)

5.8. http://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf

6. Jonathan

6.1. can script auto backups

6.2. manual recovery

6.3. $700/mo is our HIPAA fee

7. Nich

7.1. auditing is just revision# in db

7.2. disable SSL fallback

8. Tyler

8.1. Sql data capture

8.1.1. not actually capturing properly

8.1.2. creates audits of select queries

8.1.3. each application user gets a sql server user Active Directory

9. Stephen M

9.1. EF with log table

10. Mike N

10.1. data audit trail

10.1.1. doesn't have to be easy

10.1.2. who changed what when