HIPAA basics documentation

docs/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+    "MD013": false,
+    "MD033": false
+}

docs/requirements/industry/hipaa/overview.md

@@ -0,0 +1,13 @@
+# Overview
+
+## What is HIPAA?
+
+HIPAA is a U.S. regulation that gives patients greater access to their own medical records and more control over how their personally identifiable health information is used. The regulation also addresses the obligations of healthcare providers and health plans to protect health information.
+
+## What is PHI?
+
+PHI stands for Protected Health Information and it includes data elements that can be used within a data set to identify an individual and disclose their medical records and/or health related financial history.
+
+## What is HIPAA compliance?
+
+In order to be HIPAA compliant, entities such as health care providers or employers that manage PHI, and providers of services to these entities, must ensure that technical, physical and administrative safeguards are in place and adhered to, in order to protect the integrity of PHI. They are also required to follow specific procedures if the integrity of PHI is breached.

docs/requirements/industry/hipaa/phi.md

@@ -0,0 +1,35 @@
+# Protected Health Information
+
+## PHI data types
+
+The 18 different types of data elements that are considered PHI identifiers are:
+
+1. Names or part of names
+1. Geographical identifiers
+1. Phone numbers
+1. Email addresses
+1. Medical record numbers
+1. Account numbers
+1. Vehicle license plate numbers
+1. Web URLs
+1. Fingerprints, retinal and voice prints
+1. Any other unique identifying characteristic
+1. Dates directly related to an individual
+1. Fax numbers
+1. Social Security numbers
+1. Health insurance beneficiary numbers
+1. Certificate or license numbers
+1. Device identifiers and serial numbers
+1. IP addresses
+1. Full face or any comparable photographic images
+
+Source: [https://www.hipaajournal.com/considered-phi-hipaa](https://www.hipaajournal.com/considered-phi-hipaa/)
+
+## Deidentifying PHI
+
+The PHI deidentification guidance specifies two different approaches:
+
+1. *Expert determination* applies supervised statistical methods to review the data and confirm whether individuals would be identifiable from the data.
+1. *Safe harbor* removes all data of the 18 PHI types, thus making re-identification impossible as per HIPAA definition.
+
+Source: [https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html](https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html)

docs/requirements/industry/hipaa/source-material.md

@@ -0,0 +1,29 @@
+# Source material
+
+## PHI identifiers
+
+1. Names
+2. Geographical subdivisions smaller than a State (see [Identifiers list](#identifiers-list) for details)
+3. Dates directly related to an individual (see [Identifiers list](#identifiers-list) for details)
+4. Phone numbers
+5. Fax numbers
+6. E-mail addresses
+7. Social Security numbers
+8. Medical record numbers
+9. Health plan beneficiary numbers
+10. Account numbers
+11. Certificate/license numbers
+12. Vehicle identifiers and serial numbers, including license plate numbers
+13. Device identifiers and serial numbers
+14. URLs
+15. IP address numbers
+16. Biometric identifiers, including finger and voice prints
+17. Full face photographic images and any comparable images
+18. Any other unique identifying number, characteristic, or code
+
+## Links
+
+* <a name="hipaa-site">[HIPAA official site](https://hipaa.com/)</a>
+* <a name="identifiers-list">[List of identifiers](https://cphs.berkeley.edu/hipaa/hipaa18.html)</a>
+* <a name="compliance-checklist">[HIPAA compliance checklist](https://www.hipaajournal.com/hipaa-compliance-checklist/)</a>
+* <a name="deidentification-guidance">[Deidentification guidance](https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html)</a>