=================================
Version 1.0
This guide is designed to provide developers with a solid understanding of HIPAA guidelines and their implications for application development.
HIPAA was originally written in 1996, well in advance of the consumer Internet and a decade ahead of the first iPhone. Therefore, many of the rules and provisions deal with security and privacy issues from a world that didn't have a notion of apps, smartphones, and wearables. And while it's been amended to address privacy and security for the web, the complexity and wide-sweeping nature of the law makes teasing out the exact details to ensure compliance a bit cumbersome.
Further, unlike PCI, there is no certification entity that can provide developers a rubber stamp of compliance approval. It's up to developers and companies alike to ensure compliance requirements are implemented properly.
This guide will give you enough information to give you a strong understanding of HIPAA without getting bogged down in the legalese. We've tried to keep it straight forward, written in plain language.
01 — Introduction
- 2013 Final Omnibus Rule Update
- Why this guide?
- Who is this guide for?
- Build on our work
- Questions/Feedback
- Mandatory Disclaimer
02 — What is HIPAA?
- Background
- 2013 Final Omnibus Rule Update
- The Four Rules of HIPAA
- Important Terms to Know ++ Protected Health Information ++ The Difference Between PHI and Consumer Health Information ++ Covered Entity ++ Business Associate ++ No Safe Harbor Clause
03 — Do I Need to Be HIPAA Compliant?
04 — HIPAA Security Rule
- 3 Parts to the HIPAA Security Rule ++ Administrative Safeguards ++ Technical Safeguards +++ Access Control Safeguards +++ Transmission Security +++ Audit and Integrity ++ Physical Safeguards +++ Facility Access Controls +++ Device and Media Controls +++ Workstation Security
- Required vs. Addressable Specifications
06 — Who Certifies HIPAA Compliance
07 — HIPAA Fines
- Build vs. Buy
- Unintended Use Cases
- HIPAA Hosting and Compliance ++ Does Using HIPAA Hosting Make My Application HIPAA Compliant? ++ What Data Should Be Stored in HIPAA Compliant Hosting Environments? ++ What Makes a Hosting Environment HIPAA Compliant? ++ Network and Application Security ++ High-Availability and Redundancy ++ Required vs. Addressable HIPAA Implementation Specifications
09 — Mobile Applications
- Use Cases
- PHI in the Application
- User Communication ++ Email ++ Database/API Calls
- Push Notifications
- Physical Phone Security ++ Using the Lock Screen ++ Enabling Remote Wiping of Lost Phones
- Considerations for Wearables ** Alerts and Notifications ++ Default Displays ++ APIs and Data Sharing ++ Medical Devices ++ Data Encryption ++ Data Synching
11 — Apple Healthbook and iOS 8
12 — About TrueVault
- Built for Developers Like You
- HIPAA Compliant
- BAA + Insurance
- Startups
- Mobile Apps
- Web Apps
- Wearable Health Tech Devices
- Why People Like TrueVault
- Try TrueVault for Free
TrueVault is a HIPAA compliant API and secure data store that makes meeting the technical safeguard requirements of HIPAA easy for developers. Think of us like Stripe, but instead of payments, we make sure your app is checking all the boxes for HIPAA security and privacy. Learn more
We're not lawyers. Nothing in this guide constitutes legal advice. Talk to one if you have specific questions regarding your application and HIPAA compliance.