In the ever connected era, cloud computing is altering the way medics, nurses, and hospitals deliver quality, cost-effective services to their patients. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law in the US published to protect privacy of patient’s medical records and health related information provided by/to patients, also known as PHI (Personal Health Information). HIPAA applies to “covered entities” and “business associates” including doctors, hospitals, health related providers, clearing houses, and health insurance providers. HIPAA is also applied to countries, all companies which are providing services related to health or they are handling or storing patient’s health information. For HIPAA compliant solution, every Covered Entity and Business Associate who accesses the PHI, must ensure technical, physical and administrative safeguards are in place and addressed, which ensures the HIPAA Privacy Rule to protect the integrity of PHI. If any breach of PHI occurs, then solution implements the notification procedure to notify the breach (HIPAA Breach Notification Rule). Find below HIPAA requirements to be fulfilled while designing HIPAA compliant cloud connected healthcare solution. HIPAA security rules address the standards that must be applied as safeguards to protect data in REST and transit. This applies to all humans and systems that have access to confidential patient data. The system must implement RBAC (Role Based Access Control) which helps to define different levels of access to different entities who are accessing the ePHI like humans (researcher, patient, doctor) or systems (smart devices, mobile, tablets). Technical SafeGuard: Technical safeguard focuses on the technology used to protect ePHI and provides access to data. The data in REST and transmit must be encrypted to NIST standards once it travels beyond the organization’s internal infrastructure. This focuses on following parameters. Physical Safeguard Physical safeguard focuses on physical access to ePHI irrespective of location. ePHI could be stored on remote location or on-premise data center of HIPAA covered entity. In any case, the physical location where ePHI is stored must be secured and prevent unauthorized access. Administrative Safeguards Administrative safeguard focuses on procedures and policies which bridge privacy rules and security rules together. HIPAA Privacy rules focus on how ePHI should be used and disclosed. The rule demands that all required safeguard is implemented to protect a patient’s personal information. The rule gives authority to patients – right of information, right to obtain a copy of information and share the information. As per privacy rule, covered entities must respond to patient requests within 30 days. It is advisable to, HIPAA breach notification rule requires covered entities to notify patients when there is a breach of their ePHI. It should also be further notified to the Department of Health and Human Services(Only if breach affects more than 500 patients). Notification notice should include: HIPAA omnibus rule addresses areas that have been omitted in previous HIPAA updates. It clears definitions, clarifies procedures and policies that are implemented for HIPAA compliance checklist to cover business associates and subcontractors. It amends HIPPA regulation on following key areas: HIPAA Enforcement Rule covers Investigation on breach of ePHI and the penalties on the entities who are responsible for breach of ePHI. As per HIPAA compliance checklist, following are penalties. Following are guidelines for risk assessment. Thus, to comply any healthcare solution for HIPAA, following requirementsshould be taken care and integrated in the solution: At VOLANSYS, we help healthcare device manufacturers and solution providers to comply their healthcare devices/solutions for HIPAA following above rules and regulations.Our capabilities include device miniaturization, designing low power customized wearables, invasive and non-invasive devices, security compliances, HIPAA compliant cloud services and much more. About the Author: Chandani Patel Chandani is AWS Certified Solution Architect, AWS Business & Technical Professional, Technical Lead on several domains – Cloud Solutions, IoT Solutions, ML&Data Science. She is Cloud Solution Architect with expertise in designing, developing and architecting cloud solutions for public clouds (Azure, AWS, Google & Bluemix), private clouds & hybrid clouds.HIPAA Requirements
HIPAA Security Rule
HIPAA Privacy Rule
HIPAA Breach Notification Rule
HIPAA Omnibus Rule
HIPAA Enforcement Rule
HIPAA Risk Assessment Guidance