hipaa-compliance

# HIPAA Compliance Planning

Comprehensive guidance for Health Insurance Portability and Accountability Act compliance before development begins.

## When to Use This Skill

- Building systems that handle Protected Health Information (PHI)
- Designing healthcare applications, patient portals, or medical devices
- Integrating with healthcare providers, payers, or clearinghouses
- Establishing Business Associate relationships
- Conducting HIPAA security risk assessments

## HIPAA Fundamentals

### Key Entities

| Entity Type | Definition | Requirements |
|-------------|------------|--------------|
| **Covered Entity** | Healthcare providers, health plans, clearinghouses | Full HIPAA compliance |
| **Business Associate** | Entities handling PHI on behalf of covered entities | BAA + compliance |
| **Subcontractor** | Business associates of business associates | BAA chain |

### The Three Rules

```text
1. Privacy Rule - Who can access PHI and how it can be used/disclosed
2. Security Rule - How to protect electronic PHI (ePHI)
3. Breach Notification Rule - How to respond to unauthorized disclosures
```

## Protected Health Information (PHI)

### 18 HIPAA Identifiers

When combined with health information, these become PHI:

```text
1.  Names
2.  Geographic data smaller than state
3.  Dates (except year) related to individual
4.  Phone numbers
5.  Fax numbers
6.  Email addresses
7.  Social Security numbers
8.  Medical record numbers
9.  Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web URLs
15. IP addresses
16. Biometric identifiers
17. Full-face photographs
18. Any other unique identifying number/code
```

### De-identification Methods

**Safe Harbor Method:**
Remove all 18 identifiers + no actual knowledge data can identify individual

**Expert Determination:**
Qualified statistician certifies re-identification risk is very small

```csharp
// D