1. https://www.truevault.com/blog/how-do-i-become-hipaa-compliant.html
2. Rules
2.1. Security
2.1.1. Technical
2.1.1.1. Access Control
2.1.1.1.1. Unique User Identities
2.1.1.1.2. Emergency Access Procedure
2.1.1.1.3. Encryption/Decryption
2.1.1.1.4. Audit Controls
2.1.1.1.5. Authentication (that phi is not altered or destroyed)
2.1.1.1.6. Transmission
2.1.1.2. Audit Control
2.1.1.3. Integrity
2.1.1.4. Authentication
2.1.1.5. Transmition
2.1.2. Physical
2.1.2.1. Contingency Operations (emergency recovery)
2.1.2.2. equipment security
2.1.2.3. individual's access
2.1.2.4. Maintenance records
2.1.2.5. Workstation Use?
2.1.2.6. Workstation Security
2.1.2.7. Data and equipment disposal
2.1.2.8. Equipment reuse
2.1.2.9. Equipment accountability
2.1.2.10. Backup and storage
2.1.3. Administrative
2.1.3.1. Preform Risk Analysis
2.1.3.2. Implement risk managment
2.1.3.3. Establish sanctions for non-compliance
2.1.3.4. Regularly review logs and audit trails
2.1.3.5. Designate HIPAA security officers
2.1.3.6. Employee oversight procedures
2.1.3.6.1. ability to grant/revoke PHI access
2.1.3.6.2. ensure unauthorized subcontractors don't have phi access
2.1.3.7. document access grants
2.1.3.8. periodic security reminders
2.1.3.9. Guard/Detection/Reporting malware procedures
2.1.3.10. login monitoring and discrepancy reporting
2.1.3.11. password management procedures
2.1.3.12. document any security incidents
2.1.3.13. contingency plan for restoring backups
2.1.3.13.1. periodic testing and analysis of contingency plans
2.1.3.14. emergency mode procedure
2.1.3.15. agreements to ensure compliance from business partners
2.2. Privacy
2.2.1. provide breach notification
2.2.2. provide access to users to own phi
2.2.2.1. (training program)
2.2.3. procedure for disclosing to secretary of HHS
2.2.4. provide accounting of disclousures
2.3. Enforcement
2.4. Breach Notification
2.4.1. notify patients of breach
2.4.2. notify HHS if breach of unsecured phi
2.4.3. notify media and public if > 500 patients affected
3. AWS
3.1. full admin control of servers
3.2. sysadmins use RSA keypairs and uids to access
3.3. firewall solutionss on ec2
3.4. amazon employees have no access to ec2 instances
3.5. supports ssh key authentication for access control
3.6. audit
3.6.1. access audit trail up to us
3.6.2. has access to activity? logs
3.6.3. ec2 tracks ip traffic
3.6.4. up to us to back this up
3.7. availability and backups
3.7.1. up to us to set up snapshots
3.7.2. s3 provides some backup utilities
3.7.3. one of the more expensive bits
3.7.4. s3 does automatic backups (of what?)
3.8. http://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf
4. Jonathan
4.1. can script auto backups
4.2. manual recovery
4.3. $700/mo is our HIPAA fee
5. Nich
5.1. auditing is just revision# in db
5.2. disable SSL fallback
6. Tyler
6.1. Sql data capture
6.1.1. not actually capturing properly
6.1.2. creates audits of select queries
6.1.3. each application user gets a sql server user
6.1.3.1. Active Directory
7. Stephen M
7.1. EF with log table
8. Mike N
8.1. data audit trail
8.1.1. doesn't have to be easy
8.1.2. who changed what when
9. Addressable vs Required
9.1. http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html
10. PHI
10.1. Individually Identifiable Health Info
10.1.1. Health Information
10.1.1.1. created or received by
10.1.1.1.1. health care provider
10.1.1.1.2. public health authority
10.1.1.1.3. empoyer
10.1.1.1.4. life insurer
10.1.1.1.5. school or university
10.1.1.2. relates to past/present/future physical or mental health of
10.1.1.2.1. identifable individual
10.1.1.2.2. care provided to individual
10.1.1.2.3. payment for care
10.1.2. transmitted or maintained