HIPAA Compliance | Chino.io

Resources regarding HIPAA Compliance for the US market

Main resources to start with HIPAA and how Chino.io ensures compliance

What is HIPAA

HIPAA is the acronym for Health Insurance Portability and Accountability Act, an American legislation of 1996 aimed at improving the efficiency and effectiveness of the health care system in the U.S. Every business processing electronic Protected Health Information (ePHI) within the US need to comply with it.

HIPAA is composed of 4 main parts, called “rules” (some added in the years thereafter to 1996 by the HHS, the U.S. department of Health & Human Services). They are:

  • Privacy Rule
  • Breach Notification Rule
  • Enforcement Rule
  • Security Rule

The necessary disposition aimed at achieving security are contained in the Security Rule, which “establish[es] a national set of security standards for protecting certain health information that is held or transferred in electronic form” (Source: hhs.gov)

Who is covered by the security Rule

Covered Entities

The Security Rule applies to what the HIPAA defines “covered entities”, namely: “health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA” (Source: hhs.gov)

If you want to know more about covered entities and if you can be classified as such, you can read the HHS paper at this link.

Business Associates

There is more: thanks to the HITECH Act of 2009, the HIPAA scope has been extended to "business associates" as well, namely “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” (Source: hhs.gov)

If you want to know more about business associates and if you can be classified as such, you can read the HHS paper at this link.

As the following summary points out as a digital health business you can act on behalf of a Covered entity or directly collect ePHI from an individual (who according to EU GDPR would be called “data subject”).

On the last step, there is where Chino.io can help you out: as a subcontractor we will help you keeping your ePHI in a secure and HIPAA compliant cloud.

Detailed list of requirements and how Chino.io handles them

The official source of requirements regarding the HIPAA Act is HHS (hhs.gov)

Administrative Requirements

1. Security Management Process

HIPAA Definition & Specifications
Chino.io implementation

§ 164.308(a)(1): "Implement policies and procedures to prevent, detect, contain and correct security violations."

Implementation Specifications

  • Risk Analysis (Required)
  • Risk Management (Required)
  • Sanction Policy (Required)
  • Information System Activity Review (Required)

Chino.io performs risk analysis and assessments on regular basis. The relevant risks and mitigation procedures are also documented in the Chino.io Quality Management and Security Management Systems which has been certified according to ISO 9001 and ISO 27001 certification standards by an external auditing firm.

We manage our employees accounts in such a way that everyone has less privileges as possible. The access to PHI data is permitted only to employees having the highest privilegdes and each access is logged.

Chino.io implements a detailed tracking of all actions to data and API, which constitutes the basis for the audit logs and monitoring system which allows both Chino.io team and its users to assess and monitor the access to data in a non repudiable manner.

2. Assigned Security Responsibility

HIPAA Definition & Specifications
Chino.io implementation

“Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”

No Implementation Specifications

Jovan Stevovic and Stefano Tranquillini are assigned to the Privacy and Security Roles respectively.

3. Workforce Security

HIPAA Definition & Specifications
Chino.io implementation

“Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information.”

Implementation Specifications

  • Authorization and/or supervision (Addressable)
  • Workforce Clearance Procedure (Addressable)
  • Termination Procedures (Addressable)

As mentioned above, the Chino.io employees have access to as less as possible information to the information and the system components. This includes access to source code, different VMs, Encryption Keys stores, audit logs mechanisms emails, and any other information pertaining to the company or company users and customers.

The procedures are also defined together with compliance experts in our Quality and Security Management Systems which have been certified according to the ISO 9001 and IS0 27001 standards.

4. Information Access Management

HIPAA Definition & Specifications
Chino.io implementation

“Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].”

Implementation Specifications

  • Isolating Health Care Clearinghouse Functions (Required)
  • Access Authorization (Addressable)
  • Access Establishment and Modification (Addressable)

Each access to PHI (both via API and administration tools) is subject to authentication and authorization procedures according to best technical and system administration techniques.

The access to the data via the API is performed according to permission policies which are define a method which is granular, tracked and transparent to the end-user. Permissions are documented on: docs.chino.io.

The access to the data via administration tools is performed according to industry standards where each component of the system (databases, VMs, key managers) are protected by passwords and access rights.

The access to the PHI both via the API and the administration tools is logged and the audit trail is hashed and encrypted according to best security stnadard in such a way that no more modifications are permitted.

5. Security Awareness and Training

HIPAA Definition & Specifications
Chino.io implementation

“Implement a security awareness and training program for all members of its workforce (including management).”

Implementation Specifications

  • Security Reminders (Addressable)
  • Protection from Malicious Software (Addressable)
  • Log-in Monitoring (Addressable)
  • Password Management

Chino.io is a cyber-security company which delivers its know-how and best practices into the digital health sector. Chino.io applies Privacy and Security by Design principles, and constantly monitors its softwares and the offered service.

As described above, the access to the PHI is logged and the audit trail is hashed and encrypted according to best security stnadard in such a way that no more modifications are permitted.

Chino.io uses state-of-the-art password managers as part of its security procedures, where the team has the ability to update and monitor passwords, and revoke them as part of the disposal procedures.

6. Security Incident Procedures

HIPAA Definition & Specifications
Chino.io implementation

“Implement policies and procedures to address security incidents.”

Implementation Specifications

  • Response and Reporting (Required)

The Chino.io response and reporting procedures are documented into its Quality and Security Management Systems, which has been certified according to the ISO 9001 and 27001 standards by third party auditors.

In addition Chino.io applies the legal requirements related to the incident response procedures which includes the Breach Notification procedure and remedy procedures to recover the initial state.

7. Contingency Plan

HIPAA Definition & Specifications
Chino.io implementation

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

Implementation Specifications

  • Data Backup Plan (Required)
  • Disaster Recovery Plan (Required)
  • Emergency Mode Operation Plan (Required)
  • Testing and Revision Procedures (Addressable)
  • Applications and Data Criticality Analysis (Addressable)

Following the state-of-the-art quality and security management procedures Chino.io applies daily backups of all users data and periodically checks their integrity by performing recovery tests.

In addition, the health data storage is implemented on Amazon AWS RDS service which provides by default backup procedures.

The testing recovery plans is documented and performed according to ISO 9001 standards, which are certified by a third party certification institute.

The criticality analysis is core for our system functioning since no single point of failuare is allowed in our service. To deliver highest Service Level Agreements and high availability even in case of incidents Chino.io constantly updates and improves its architecture and service.

8. Evaluation

HIPAA Definition & Specifications
Chino.io implementation

“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”

No Implementation Specifications

Our security rules and practices are documented and certified by a third-party certification institute according to the ISO 27001 standard.

The certification process includes yearly reviews by the certification institute as part of the continuos improvement startegy.

In addition Chino.io ensures compliance with regulations such as NIS, reccomendations by institutions like Article 29 Working Party, agencies like ENISA, or security standards like OWASP. All those entities define and constantly update security guidelines and legal requirements.

9. Business Associate Contracts and Other Arrangements

HIPAA Definition & Specifications
Chino.io implementation

“A covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added).”

Implementation Specifications

  • Written Contract or other Arrangement (Required)

Chino.io provides written contracts (Business Associate Agreements) clarifying its liabilities and duties to protect PHI, users' data and their confidentiality.

In addition, the Service Level Agreements and service availability is clearly defined in the Chino.io contract following the best standards adopted by cloud service providers.

Physical Requirements

1. Facility Access Controls

HIPAA Definition & Specifications
Chino.io implementation

§ 164.310(a)(1): “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

Implementation Specifications

  • Contingency Operations (Addressable)
  • Facility Security Plan (Addressable)
  • Access Control and Validation Procedures (Addressable)
  • Maintenance Records (Addressable)

Chino.io does not have physical facilities.

The team has access to the cloud infrastructure only via password-protected electronic methods.

2. Workstation Use

Legal Requirement HIPAA Definition & Specifications
Chino.io implementation

§ 164.310(b): “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

No Implementation Specifications

Each workstation is protected by passwords and each Chino.io employee has limited privileges which are adequate to its role and duties.

2. Workstation Security

HIPAA Definition & Specifications
Chino.io implementation

§ 164.310(c): “Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”

No Implementation Specifications

The storage of PHI is done only on our cloud infrastructure, and always in an encrypted format. In addition each workstation is password-protected with limited access to the infrastructure, which reduces at minimum the possibility to violate the perimeters.

4. Device and Media Controls

HIPAA Definition & Specifications
Chino.io implementation

§ 164.310(d)(1): “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

Implementation Specifications

  • Disposal (Required)
  • Media Re-Use (Required)
  • Accountability (Addressable)
  • Data Backup and Storage (Addressable)

The storage of PHI is done only on our cloud infrastructure, and always in an encrypted format.

As described in previous sections, the logging and data backups procedures apply only to the access to the cloud infrastructure and data. Both functionalities are implemented according to best quality and security standards, which are certified in our ISO 9001 and 27001 procedures and documentation.

Technical Requirements

1. Access control

HIPAA Definition & Specifications
Chino.io implementation

§ 164.304: Assure “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

Implementation Specifications

  • Unique User Identification (Required)
  • Emergency Access Procedure (Required)
  • Automatic Logoff (Addressable)
  • Encryption and decryption (Addressable)

Every user (both internal employees accessing via admin tools and application users accessing to Chino.io via API) have unique identiferiers which allow Chino.io to monitor, track and log in a non-modifiable manner the operations (read, write, update, delete, transfer rights) on data.

Each record on Chino.io is encrypted using AES 265 encryption algorithm, while the encryption keys are stored in a separate location, following the concepts of software based encryption modules.

One of the core features and engineering tasks of Chino.io is the indexing of certain documents' fields for search operations.

2. Audit controls

HIPAA Definition & Specifications
Chino.io implementation

§ 164.312(b): “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

No Implementation Specifications

The Chino.io service is constantly monitored by different services which detect both errors and behavioral anomalies like potential security attacks. Notifications in real-time are sent via comunication channels among the team members.

3. Integrity

HIPAA Definition & Specifications
Chino.io implementation

§ 164.304: Grant that “the property that data or information have not been altered or destroyed in an unauthorized manner.”

Implementation Specifications

  • Mechanism to authenticate electronic protected health information (Addressable)

Chino.io implements and offers to its customers the possibility to define and control very granular permissions over resources: documents, schemas, repositories. Permissions define CRUDA - Create, Read, Update, Delete and Administer actions over a resource The Administer consists also of transferring the rights to another Chino.io user.

This configuration allows Chino.io to track every operation on data and demonstrate, if needed, which actions a person committed over data.

4. Person or entity authentication

HIPAA Definition & Specifications
Chino.io implementation

§ 164.312(d): “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

No Implementation Specifications

The identity management is core of the authentication mechanisms that Chino.io implements and that is offered via the API.

The authentication can be done either via OAuth2.0 protocol or via API Keys. These are the two standard protocols used by cloud providers to control the access and identity of their users.

5. Transmission Security

HIPAA Definition & Specifications
Chino.io implementation

§ 164.312(e)(1): “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

Implementation Specifications

  • Integrity Controls (Addressable)
  • Encryption (Addressable)

Chino.io implements the HTTP Strict Transport Security (HSTS) Policy, which mandates the usage of HTTPS encrypted connections for each API call or operation over resources on Chino.io.

In addition, as mentioned previously, the data on Chino.io are encrypted at record level using the AES 265 encryption algorithm.

At Chino.io we work full time on solving these issues for you