gbrain: sync converted org-mode brain files
This commit is contained in:
Hermes
44
ideas/compliance/hipaa.org
Normal file
44
ideas/compliance/hipaa.org
Normal file
@@ -0,0 +1,44 @@
|
||||
:PROPERTIES:
|
||||
:ID: auto-hipaa
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: HIPAA (Health Insurance Portability and Accountability Act)
|
||||
#+filetags: :passepartout:compliance:framework:hipaa:
|
||||
|
||||
* HIPAA (Health Insurance Portability and Accountability Act)
|
||||
|
||||
** What it is
|
||||
|
||||
US federal law enacted 1996. Governs how protected health information (PHI)
|
||||
is stored, transmitted, and accessed. Two relevant rules:
|
||||
|
||||
- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights
|
||||
to access, amend, and request accounting of disclosures. Minimum necessary
|
||||
standard — only the minimum PHI needed for the task may be used.
|
||||
- **Security Rule:** administrative, physical, and technical safeguards for
|
||||
electronic PHI (ePHI). Requires access controls, audit controls, integrity
|
||||
controls, person/entity authentication, and transmission security.
|
||||
|
||||
** Who must comply
|
||||
|
||||
Covered entities (health plans, healthcare clearinghouses, healthcare providers
|
||||
who transmit any ePHI) and business associates (any vendor handling PHI on behalf
|
||||
of a covered entity). Business Associate Agreements (BAAs) are mandatory.
|
||||
|
||||
** Penalties
|
||||
|
||||
Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per
|
||||
violation category. Criminal penalties for knowing misuse (up to 10 years
|
||||
imprisonment). State AGs can also bring civil actions.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
HIPAA is the largest single compliance market in US healthcare — every hospital,
|
||||
clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
|
||||
($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
|
||||
constraints. Every PHI access attempt passes through the gate stack, producing
|
||||
a machine-checkable audit trail that satisfies the Security Rule's audit control
|
||||
requirement automatically. No separate logging infrastructure needed. Over a
|
||||
five-year deployment, the accumulated fact store and proof history create
|
||||
[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
|
||||
|
||||
Reference in New Issue
Block a user