tags: #publish links: [[Software and Tech]] created: 2021-03-16 Tue --- # HIPAA Here is a useful guide from a development-requirements point of view: https://github.com/truevault/hipaa-compliance-developers-guide - There's no central authority to certify compliance - it's up to each company plus auditors etc. ## History - HIPAA dates from 1996, before a lot of internet stuff. So it's cumbersome for the modern data world, though has been amended. - Initially: for specific **covered entities** in the health industry - insurers, medical institutions, doctors, ... - Since 2013: expanded to include *anyone* who processes/exchanges/stores **PHI (Protected Health Information)** ("Business Associates") - But only if shared with a covered entity? For some reason. If you don't, then no need for HIPAA compliance. - Because it's about *the health industry* :D ## PHI (Protected Health Information) Basically identifying info in medical records. e.g. billing, email, appointments, scans/results, ... ## Rules - HIPAA Privacy Rule - HIPAA Security Rule - HIPAA Enforcement Rule - HIPAA Breach Notification Rule ## Security Rule This is the main thing. There's a bunch of requirements about controls / administrative safeguards. There's "technical safeguards" - access control, transmission security and encryption, audit and authentication. Then there's "physical safeguards" - physical access control, system security, even facility security.