=================================

Version 1.0

This guide is designed to provide developers with a solid understanding of HIPAA guidelines and their implications for application development.

HIPAA was originally written in 1996, well in advance of the consumer Internet and a decade ahead of the first iPhone. Therefore, many of the rules and provisions deal with security and privacy issues from a world that didn't have a notion of apps, smartphones, and wearables. And while it's been amended to address privacy and security for the web, the complexity and wide-sweeping nature of the law makes teasing out the exact details to ensure compliance a bit cumbersome.

Further, unlike PCI, there is no certification entity that can provide developers a rubber stamp of compliance approval. It's up to developers and companies alike to ensure compliance requirements are implemented properly.

This guide will give you enough information to give you a strong understanding of HIPAA without getting bogged down in the legalese. We've tried to keep it straight forward, written in plain language.

Read the Introduction

01 — Introduction

• 2013 Final Omnibus Rule Update
• Why this guide?
• Who is this guide for?
• Build on our work
• Questions/Feedback
• Mandatory Disclaimer

02 — What is HIPAA?

• Background
• 2013 Final Omnibus Rule Update
• The Four Rules of HIPAA
• Important Terms to Know
  • Protected Health Information
  • The Difference Between PHI and Consumer Health Information
  • Covered Entity
  • Business Associate
  • No Safe Harbor Clause

03 — Do I Need to Be HIPAA Compliant?

• Who Needs to Be HIPAA Compliant?

04 — HIPAA Security Rule

• 3 Parts to the HIPAA Security Rule
  • Administrative Safeguards
  • Technical Safeguards
    • Access Control Safeguards
    • Transmission Security
    • Audit and Integrity
  • Physical Safeguards
    • Facility Access Controls
    • Device and Media Controls
    • Workstation Security
• Required vs. Addressable Specifications

05 — Becoming HIPAA Compliant

• What Does HIPAA Require
• What it Means for Developers
• If We're Being Honest

06 — Who Certifies HIPAA Compliance

• The Short Answer
• But Texas

07 — HIPAA Fines

• Unencrypted Data
• Employee Error
• Data Stored on Devices
• Business Associates

08 — Developer Considerations

• Build vs. Buy
• Unintended Use Cases
• HIPAA Hosting and Compliance
  • Does Using HIPAA Hosting Make My Application HIPAA Compliant?
  • What Data Should Be Stored in HIPAA Compliant Hosting Environments?
  • What Makes a Hosting Environment HIPAA Compliant?
  • Network and Application Security
  • High-Availability and Redundancy
  • Required vs. Addressable HIPAA Implementation Specifications

09 — Mobile Applications

• Use Cases
• PHI in the Application
• User Communication
  • Email
  • Database/API Calls
• Push Notifications
• Physical Phone Security
  • Using the Lock Screen
  • Enabling Remote Wiping of Lost Phones

10 — Wearable Applications

• Considerations for Wearables
  • Alerts and Notifications
  • Default Displays
  • APIs and Data Sharing
  • Medical Devices
  • Data Encryption
  • Data Synching

11 — Apple HealthKit and iOS 8

• TrueVault iOS 8 SDK
• iOS 8 Health-Related Announcements
• Apple HealthKit Announcements

12 — About TrueVault

• Built for Developers Like You
• HIPAA Compliant
• BAA + Insurance
• Startups
• Mobile Apps
• Web Apps
• Wearable Health Tech Devices
• Why People Like TrueVault
• Try TrueVault for Free

TrueVault is a HIPAA compliant API and secure data store that makes meeting the technical safeguard requirements of HIPAA easy for developers. Think of us like Stripe, but instead of payments, we make sure your app is checking all the boxes for HIPAA security and privacy. Learn more

We're not lawyers. Nothing in this guide constitutes legal advice. Talk to one if you have specific questions regarding your application and HIPAA compliance.