Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

HIPAA

George Mauer
Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
HIPAA by Mind Map: HIPAA

1. https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html

2. Rules

2.1. Security

2.1.1. Technical

2.1.1.1. Access Control

2.1.1.1.1. Unique User Identities

2.1.1.1.2. Emergency Access Procedure

2.1.1.1.3. Encryption/Decryption

2.1.1.1.4. Audit Controls

2.1.1.1.5. Authentication (that phi is not altered or destroyed)

2.1.1.1.6. Transmission

2.1.1.2. Audit Control

2.1.1.3. Integrity

2.1.1.4. Authentication

2.1.1.5. Transmition

2.1.2. Physical

2.1.2.1. Contingency Operations (emergency recovery)

2.1.2.2. equipment security

2.1.2.3. individual's access

2.1.2.4. Maintenance records

2.1.2.5. Workstation Use?

2.1.2.6. Workstation Security

2.1.2.7. Data and equipment disposal

2.1.2.8. Equipment reuse

2.1.2.9. Equipment accountability

2.1.2.10. Backup and storage

2.1.3. Administrative

2.1.3.1. Preform Risk Analysis

2.1.3.2. Implement risk managment

2.1.3.3. Establish sanctions for non-compliance

2.1.3.4. Regularly review logs and audit trails

2.1.3.5. Designate HIPAA security officers

2.1.3.6. Employee oversight procedures

2.1.3.6.1. ability to grant/revoke PHI access

2.1.3.6.2. ensure unauthorized subcontractors don't have phi access

2.1.3.7. document access grants

2.1.3.8. periodic security reminders

2.1.3.9. Guard/Detection/Reporting malware procedures

2.1.3.10. login monitoring and discrepancy reporting

2.1.3.11. password management procedures

2.1.3.12. document any security incidents

2.1.3.13. contingency plan for restoring backups

2.1.3.13.1. periodic testing and analysis of contingency plans

2.1.3.14. emergency mode procedure

2.1.3.15. agreements to ensure compliance from business partners

2.2. Privacy

2.2.1. provide breach notification

2.2.2. provide access to users to own phi

2.2.2.1. (training program)

2.2.3. procedure for disclosing to secretary of HHS

2.2.4. provide accounting of disclousures

2.3. Enforcement

2.4. Breach Notification

2.4.1. notify patients of breach

2.4.2. notify HHS if breach of unsecured phi

2.4.3. notify media and public if > 500 patients affected

3. AWS

3.1. full admin control of servers

3.2. sysadmins use RSA keypairs and uids to access

3.3. firewall solutionss on ec2

3.4. amazon employees have no access to ec2 instances

3.5. supports ssh key authentication for access control

3.6. audit

3.6.1. access audit trail up to us

3.6.2. has access to activity? logs

3.6.3. ec2 tracks ip traffic

3.6.4. up to us to back this up

3.7. availability and backups

3.7.1. up to us to set up snapshots

3.7.2. s3 provides some backup utilities

3.7.3. one of the more expensive bits

3.7.4. s3 does automatic backups (of what?)

3.8. http://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf

4. Jonathan

4.1. can script auto backups

4.2. manual recovery

4.3. $700/mo is our HIPAA fee

5. Nich

5.1. auditing is just revision# in db

5.2. disable SSL fallback

6. Tyler

6.1. Sql data capture

6.1.1. not actually capturing properly

6.1.2. creates audits of select queries

6.1.3. each application user gets a sql server user

6.1.3.1. Active Directory

7. Stephen M

7.1. EF with log table

8. Mike N

8.1. data audit trail

8.1.1. doesn't have to be easy

8.1.2. who changed what when

9. Addressable vs Required

9.1. http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html

10. PHI

10.1. Individually Identifiable Health Info

10.1.1. Health Information

10.1.1.1. created or received by

10.1.1.1.1. health care provider

10.1.1.1.2. public health authority

10.1.1.1.3. empoyer

10.1.1.1.4. life insurer

10.1.1.1.5. school or university

10.1.1.2. relates to past/present/future physical or mental health of

10.1.1.2.1. identifable individual

10.1.1.2.2. care provided to individual

10.1.1.2.3. payment for care

10.1.2. transmitted or maintained