HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States of America (USA) legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA applies to protected health information (PHI) from countries outside the USA when the information is brought into the United States.
Stated below are the key statutes specified under the Technical Safeguard* of the HIPAA Security Rule to ensure safety of electronically protected health information (ePHI; REF).
1. Access Control - Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
2. Access Control - Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
3. Access Control - Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
4. Access Control - Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.
5. Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
6. Integrity - Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
7. Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
8. Transmission Security - Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
9. Transmission Security - Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.
*Required as are the safeguards which are to be executed.
*Addressable are not mandatory but are to be executed if they are reasonable and appropriate.
Provided below are the processes in place to meet HIPAA Compliance on the Outbreak Responder software platform. The rehydration calculator is considered to not have ePHI in the contexts for which it is intended to be used (resource-limited countries with high diarrheal disease burden). The EMR does have ePHI.
1. Unique User Identification: A unique identifier is in place for each record and user who accesses the ePHI; this includes biometric data. The username and password cannot be similar. The password is a minimum of 6 characters, at least one uppercase and at least one number. Two-step authentication is not feasible in the remote settings common to infectious disease outbreaks.
2. Emergency Access Procedure: Administrative users are given necessary permissions to access the required data and systems when an emergency arises. Emergencies may include software crashes, breach of privacy policy or terms of use, or authorized legal request.
3. Automatic Logoff: An automatic log-off period on both the smartphone application and the web-interface exist. The log-off time period has been configured to meet both user needs and assure safety.
4. Encryption and Decryption: Encryption of the smartphone data (cache) requires native encryption on the device. Data transmitted and received by the device by HTTPS encryption (see item 9). Amazon Web Services encryption and decryption services are deployed at the level of the server (e.g. EBS encryption on an AWS Ec2 instance).
5. Audit Controls: Revisions to the records are tracked, stored and saved independently in encrypted AWS server ECII.
6. Authentication: Users are required to sign in to the application with a unique username and password that enables the credentials and access controls to be verified before access to ePHI is granted.
7. Integrity - Mechanism to Authenticate ePHI: Access controls are determined by a user hierarchy. This hierarchy has been designed to limit access on a ‘need to know’ basis’. Users are permitted to access data that is within the level of their duties. Permission levels are (i) patients seen by clinical or research teams within a unit of care (e.g. hospital), (ii) all teams within a hospital, (iii) all hospitals within a geographic designation (e.g. district), and (iv) all hospitals within a country, and (v) all countries. Only ePHI pertaining to a given level is granted access.
8. Transmission Security - Integrity Controls: The ability to edit ePHI rests only with application users who have the clearance to access the records. Also changes made to the ePHI are tracked using Revisions and Django history.
9. Transmission Security – Encryption: Data are encrypted at three primary points.
a. When the data transfers from the mobile device to the server, all data are transmitted through a secure HTTPS request from the mobile applications to the AWS Ec2 instances. This process includes an SSL certificate.
b. When data are processed on AWS Ec2 Instances, an encrypted EBS is used to secure the data while on the Ec2 server.
c. When the data are stored on the RDS instance(MySQL), an encrypted AWS RDS instance is used to secure the ePHI in the storage.