HIPAA Compliance | Chino.io

Resources regarding HIPAA Compliance for the US market

Main resources to start with HIPAA and how Chino.io ensures compliance

What is HIPAA

HIPAA is the acronym for Health Insurance Portability and Accountability Act, an American legislation of 1996 aimed at improving the efficiency and effectiveness of the health care system in the U.S. Every business processing electronic Protected Health Information (ePHI) within the US need to comply with it.

HIPAA is composed of 4 main parts, called “rules” (some added in the years thereafter to 1996 by the HHS, the U.S. department of Health & Human Services). They are:

  • Privacy Rule
  • Breach Notification Rule
  • Enforcement Rule
  • Security Rule

The necessary disposition aimed at achieving security are contained in the Security Rule, which “establish[es] a national set of security standards for protecting certain health information that is held or transferred in electronic form” (Source: hhs.gov)

Who is covered by the security Rule

Covered Entities

The Security Rule applies to what the HIPAA defines “covered entities”, namely: “health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA” (Source: hhs.gov)

If you want to know more about covered entities and if you can be classified as such, you can read the HHS paper at this link.

Business Associates

There is more: thanks to the HITECH Act of 2009, the HIPAA scope has been extended to "business associates" as well, namely “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” (Source: hhs.gov)

If you want to know more about business associates and if you can be classified as such, you can read the HHS paper at this link.

As the following summary points out as a digital health business you can act on behalf of a Covered entity or directly collect ePHI from an individual (who according to EU GDPR would be called “data subject”).

On the last step, there is where Chino.io can help you out: as a subcontractor we will help you keeping your ePHI in a secure and HIPAA compliant cloud.

Detailed list of requirements and how Chino.io handles them

The official source of requirements regarding the HIPAA Act is HHS (hhs.gov)

ADMINISTRATIVE SAFEGUARDS

Standard (S) or Implementation Specification (IS)
HIPAA Reference
Addressable/Required

S - Security Management Process

164.308(a)(1)(i)

  • IS - Risk Analysis
  • IS - Risk Management
  • IS - Sanction Policy
  • IS - Information System Activity Review
  • 164.308(a)(1)(ii)(A)
  • 164.308(a)(1)(ii)(B)
  • 164.308(a)(1)(ii)(C)
  • 164.308(a)(1)(ii)(D)
  • R
  • R
  • R
  • R

S - Assigned Security Responsibility

164.308(a)(2)

-

S - Workforce Security

164.308(a)(3)(i)

  • IS - Authorization and/or Supervision
  • IS - Workforce Clearance Procedure
  • IS - Termination Procedures
  • 164.308(a)(3)(ii)(A)
  • 164.308(a)(3)(ii)(B)
  • 164.308(a)(3)(ii)(C)
  • A
  • A
  • A

S- Information Access Management

164.308(a)(4)(i)

  • IS - Isolation Health Clearinghouse Functions
  • IS - Access Authorization
  • IS - Access Establishment and Modification
  • 164.308(a)(4)(ii)(A)
  • 164.308(a)(4)(ii)(B)
  • 164.308(a)(4)(ii)(C)
  • R
  • A
  • A

S - Security Awareness Training

164.308(a)(5)(i)

  • IS - Security Reminders
  • IS - Protection from Malicious Software
  • IS - Log-in Monitoring
  • IS - Password Management
  • 164.308(a)(5)(ii)(A)
  • 164.308(a)(5)(ii)(B)
  • 164.308(a)(5)(ii)(C)
  • 164.308(a)(5)(ii)(D)
  • R
  • R
  • R
  • R

S - Security Incident Procedures

164.308(a)(1)(i)

  • IS - Response and Reporting
  • 164.308(a)(6)(ii)
  • R

S - Contingency Plan

164.308(a)(1)(i)

  • IS - Data Backup Plan
  • IS - Disaster Recovery Plan
  • IS - Emergency Mode Operation Plan
  • IS - Testing and Revision Procedures
  • IS - Applications and Data Criticality Analysis
  • 164.308(a)(7)(ii)(A)
  • 164.308(a)(7)(ii)(B)
  • 164.308(a)(7)(ii)(C)
  • 164.308(a)(7)(ii)(D)
  • 164.308(a)(7)(ii)(E)
  • R
  • R
  • R
  • A
  • A

S - Evaluation

164.308(a)(1)(i)

-

S - Business Associate Contracts and Other Arrangements

164.308(a)(1)(i)

  • IS - Written Contract
  • 164.308(b)(4)
  • R

PHYSICAL SAFEGUARDS

Standard (S) or Implementation Specification (IS)
HIPAA Reference
Addressable/Required

S - Facility Access Controls

164.310(a)(1)

  • IS - Contingency Operations
  • IS - Facility Security Plan
  • IS - Access Control Validation Procedures
  • IS - Maintenance Records
  • 164.310(a)(2)(i)
  • 164.310(a)(2)(ii)
  • 164.310(a)(2)(iii)
  • 164.310(a)(2)(iv)
  • A
  • A
  • A
  • A

S - Workstation Use

164.310(b)

-

S - Workstation Security

164.310(c)

-

S - Device and Media Controls

164.310(d)(1)

  • IS - Disposal
  • IS - Media Re-use
  • IS - Accountability
  • IS - Data Backup and Storage
  • 164.310(d)(2)(i)
  • 164.310(d)(2)(ii)
  • 164.310(d)(2)(iii)
  • 164.310(d)(2)(iv)
  • R
  • R
  • A
  • A

TECHNICAL SAFEGUARDS

Standard (S) or Implementation Specification (IS)
HIPAA Reference
Addressable/Required

S - Access Control

164.312(a)(1)

  • IS - Unique User Identification
  • IS - Emergency Access Procedure
  • IS - Automatic Logoff
  • IS - Encryption and Decryption
  • 164.312(a)(2)(i)
  • 164.312(a)(2)(ii)
  • 164.312(a)(2)(iii)
  • 164.312(a)(2)(iv)
  • R
  • R
  • A
  • A

S - Audit Controls

164.312(b)

-

S - Integrity

164.312(c)(1)

  • IS - Mechanism to Authenticate Electronic
    Protected Health Information
  • 164.312(c)(2)
  • A

S - Person or Entity Authentication

164.308(a)(4)(i)

-

S - Transmission Security

164.312(e)(1)

  • IS - Integrity Controls
  • IS - Encryption
  • 164.312(e)(2)(i)
  • 164.312(e)(2)(ii)
  • A
  • A

ORGANIZATIONAL SAFEGUARDS

Standard (S) or Implementation Specification (IS)
HIPAA Reference
Addressable/Required

S - Business Associate Contracts or Other Arrangements

164.314(a)(1)

  • IS - Business Associate Contracts
  • IS - Other Arrangement
  • 164.314(a)(2)(i)
  • 164.314(a)(2)(ii)
  • R
  • R

S - Requirements for Group Health Plans

164.314(b)(1)

  • IS - Business Associate Contracts
  • IS - Other Arrangement
  • 164.314(b)(2)(i)
  • 164.314(b)(2)(ii)
  • 164.314(b)(2)(iii)
  • 164.314(b)(2)(iv)
  • R
  • R
  • R
  • R

S - Policies and Procedures

164.316(a)

-

S- Documentation

164.316(b)(1)

  • IS - Time Limit
  • IS - Availability
  • IS - Updates
  • 164.316(b)(2)(i)
  • 164.316(b)(2)(ii)
  • 164.316(b)(2)(iii)
  • R
  • R
  • R

At Chino.io we work full time on solving these issues for you