When we started working with healthcare companies one thing that we needed to start looking at was the HIPAA regulation. In these series, we will talk about it and also show a couple of infrastructure implementation examples to be complaint.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law enacted in the United States in 1996 as an attempt at incremental health care reform.
HIPPA’s intent is to reform the healthcare industry by reducing costs, simplifying administrative processes and burdens, and improving the privacy and security of individuals health information
Protected Health Information (PHI)
PHI is any individually identifiable health information relating to the past. present or future health condition of the individual regardless of the form in which it is maintained (electronic, paper, etc)
When PHI is in electronic form it is referred to as Electronic Protected Health Information (ePHI)
There are two types of organizations that are regulated under HIPAA, Covered Entities and Business Associates.
Covered entities are the source of PHI, they are the ones with a direct relationship with the individuals whose PHI is being kept. For example doctors, nurses, clinical laboratories, etc.
Business Associates are the third party companies with whom the covered entities share PHI, like software companies, insurance brokers, etc.
Chain of trust
Covered entities cannot share PHI with business associates unless they ensure that the BA is also HIPAA compliant. That assurance is handled under HIPAA by requiring the covered entity to have a signed business associate contract in place with the business associate.
This creates a chain of trust starting with the covered entity and continuing with the chain of multiple levels of business associates.
While HIPAA has several parts, on this series we will be focusing on the technical infrastructure setup to be HIPAA compliant. In some cases, we will provide how-to tutorials to increase security on your AWS infrastructure and in other just some recommendations to consider while you are creating your HIPAA environment.
To continue reading about HIPAA and AWS infrastructure implementations to be compliant, find below our current list of articles on these topics:
- How to make your Amazon RDS DB private if it’s already public
- How to enable encryption on AWS S3 bucket
- How to encrypt your data at rest using Docker and AWS Elastic Beanstalk
- How to establish a secure connection from a Node.js API to an AWS RDS DB