Go to the website of any startup company in the health sector and you will see claims of HIPAA compliance. It’s the Holy Grail of privacy and security as it relates to health information.
It is essential for marketing health information technology products and services in the United States. But are you really HIPAA compliant, and what does it take to achieve that ambitious goal?
HIPAA stands for the Health Insurance Portability and Accountability Act, a piece of Clinton-era legislation passed in 1996. It was designed to modernize the US health insurance industry by promoting the use of information technology in healthcare. HIPAA was augmented in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act that further promoted the adoption and meaningful use of health information technology.
US lawmakers recognized that concerns about privacy and security would be significant barriers to the adoption of technology in the health sector. In response, they enacted Privacy and Security Rules as part of HIPAA’s Administrative Simplification Regulations. Under HITECH, the Privacy and Security Rules were strengthened, and two new rules, Breach Notification and Enforcement, were added.
The HIPAA rules are not for the faint of heart. Together, the Privacy, Security and Breach Notification Rules fill 57 pages in 10-point font. They are much more prescriptive than privacy laws here in Canada and other countries.
HIPAA applies to Covered Entities, which includes healthcare providers, health plans, and healthcare clearinghouses. This is similar (but not identical) to the role of Health Information Custodian in Canada. HIPAA also applies to Business Associates, companies contracted by Covered Entities to process Protected Health Information (PHI) on their behalf. This is similar (but not identical) to the roles of Health Information Manager or Electronic Service Provider in Canada.
Under most circumstances, startup and scale-up companies developing and selling healthcare apps would be considered Business Associates and would be required to enter into a Business Associate Agreement (BAA) with the Covered Entity. The app developer also requires BAA’s with its subcontractors and suppliers who process PHI on behalf of the Business Associate and Covered Entity. This creates a daisy-chain of accountability that extends from the Covered Entity to all Business Associates handling PHI.
The HIPAA Privacy Rule establishes national standards to protect PHI. It defines the privacy rights of individuals and specifies the authorized uses and disclosures of PHI. The Privacy Rule applies principally to Covered Entities. However, Privacy Rules can be passed down to Business Associates through a BAA.
The HIPAA Security Rule mandates the security of electronic PHI (ePHI). It sets standards for the administrative, physical and technical safeguards needed to protect ePHI. The security rule applies to both Covered Entities and Business Associates.
The HIPAA Breach Notification Rule requires Covered Entities to notify affected individuals, Health and Human Services and in some cases the media of any breach of unsecured PHI. Where Business Associates detect a breach or suspected breach, they are required to notify affected Covered Entities and support the identification of individuals to be notified.
The HIPAA Enforcement Rule stems from the HITECH Act substantially expanding the scope of the HIPAA Privacy and Security Rules and increasing the reach and penalties for HIPAA violations.
Are you HIPAA compliant? In my experience working with startup and scale-up companies, the answer for most is “no”. Many startup executives believe that because they have engaged a HIPAA compliant cloud service provider, they too are HIPAA compliant. This is not true. While engaging a reputable cloud service provider gives small companies a head start towards compliance, there is still much to do.
Your cloud service provider can help you meet many of the physical and technical requirements of the HIPAA Security Rule, such as secure data centers and networks. However, the startup company is still responsible for administrative safeguards such as policies and procedures, risk management, monitoring and audit, and for application security such as access control. The cloud service provider provides little or no support for requirements downloaded from the HIPAA Privacy Rule through the BAA.
Unfortunately, there are no established certification programs for HIPAA compliance. Some certification regimes, such as SOC2 and HITRUST, offer HIPAA compliance as an extension of their certification activities. Many of the larger cloud service providers have taken this route to demonstrate compliance. In most cases, claims of HIPAA compliance by small and medium-sized companies are self-attestations based on subjective assessments.
At Privacy Horizon, we have developed a comprehensive HIPAA Readiness Assessment Tool for startup and scale-up companies to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules and to establish a roadmap towards compliance.
For Canadian startup and scale-up companies marketing and selling products and services in the United States, compliance with the HIPAA Privacy, Security, and Breach Notification Rules is a fact of life. But it shouldn’t be compliance for compliance sake. Compliance with the rules really means that companies are reducing the risk of privacy and security breaches and ensuring that critical PHI is available where and when it is needed for healthcare purposes. These are good things for the company, its customers, and the patients and clients they serve.