Any startup who works with a United States healthcare organisation of any kind must demonstrate HIPAA compliance. HIPAA, the Health Insurance Portability and Accountability Act set out in US law in 1996 requires anyone who touches the protected health information of users to appropriately protect the privacy and security of this data. Done properly, demonstrating HIPAA compliance for startups will have benefits for the entire organisation.
Under HIPAA, protected health information (PHI) is any health information that can be tied to an individual. Under the HIPAA regulations, protected health information is a combination of health information such as a diagnosis, treatment information, test results, or prescriptions, combined with information that identifies the patient such as their name, location, contact details, payment details, and more. Furthermore, if identifiers are removed, the data is no longer restricted under HIPAA.
HIPAA is designed to protect user health information held in electronic systems. HIPAA’s compliance requirements are set out in a series of rules:
The HIPAA Privacy Rule sets out requirements for appropriate safeguards to protect patient privacy, and limits the uses of this information without explicit consent from the user. The privacy rule also gives patients rights in requesting their data.
The HIPAA Security Rule sets out requirements for administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of PHI. These security safeguards include risk analysis and management, employee training and discipline, security policies including incident response policies, physical security protections, encryption, access, control, and authentication, and more.
The HIPAA Breach Notification Rule defines breaches and sets out requirements for organisations in the event of a breach.
The HIPAA Enforcement Rule sets out how HIPAA will be enforced, including monetary penalties for violations of the rules.
HIPAA applies to anyone who routinely handles (stores, transfers, processes) protected health information (PHI) belonging to US citizens. This includes ‘business associates’ of healthcare settings, including software development companies who develop products or provide services to the healthcare providers defined as ‘covered entities’.
As business associates, HIPAA compliance for startups require them to demonstrate that they are HIPAA compliant to their customers. Failure to demonstrate this compliance opens the company up to the risk of a fine from HIPAA.
HIPAA certification is not required by law under HIPAA, but it does have practical benefits for organisations including the requirements to consider security risk, and implement policies, procedures, and controls to protect PHI.
HIPAA compliance for startups can be achieved in two ways: a point in time HIPAA compliance audit and accreditation by a third party auditor (with no legal standing); or recognition that the organsation’s workforce have achieved a level of HIPAA knowledge and compliance with their security policies and procedures.
Startups who are defined as business associates under HIPAA may choose to undertake a third party HIPAA compliance audit to ensure that their products, services, policies, and procedures meet HIPAA’s standards.
It is important to note that HIPAA compliance verification does not remove the obligation to be HIPAA compliant going forward, and does not guarantee that an organisation will not be found to have a security violation going forward.
While the route to compliance is not prescribed, the HHS Office of Inspector General set out the seven elements of effective compliance to provide the skeleton for a HIPAA compliance program. These seven elements will be used by HIPAA compliance companies to assess HIPAA compliance for startups.
Auditors will be looking for evidence that the administrative, technical, and physical safeguards specified in the HIPAA Security Rule have been addressed. As these safeguard areas are general, many organisations find that a framework such as ISO 27001 provides helpful guidance on controls.
Administrative safeguards: Risk analysis and management; Sanctions for employees who don’t comply with policies; Regular review of system activity; PHI access rights; Awareness and training (password controls, log-in monitoring, training reminders); Incident protocols; and Contingency planning
Physical safeguards: Office/ facility access; Office/ facility security; Device/ computer security and access; and Physical PHI storage (device disposal, data backup, etc.)
Technical safeguards: Unique user identification; Automatic log-off; Encryption and decryption; Auditing app and backend activity; MFA and other authentication; and Integrity controls
In addition, organisations must be able to show that they have a full set of relevant security policies in place, and they may be asked to produce evidence of security risk analysis activity, asset and device audits, and even a HITECH Subtitle D audit. They will also be required to show that they have remediation processes in place to address any gaps discovered during the audit.
Organisations must designate a compliance officer who takes overall responsibility for achieving HIPAA compliance. This officer must also be backed up by a group of other key figures across the organisation who oversee the work of the compliance officer but are also in a position to lead the necessary security culture across the organisation.
HIPAA contains a strong emphasis on employee responsibilities towards protecting PHI. Organisations who are aiming for HIPAA compliance will need to demonstrate that employees are will trained in their security responsibilities, that they understand the security policies and procedures in place, and that they follow these rules.
Organisations are required to maintain effective lines of communication with suppliers and customers to ensure that the entire supply chain has effective security controls in place to ensure HIPAA compliance. This includes HIPAA Business Associate Agreements between the startup and their relevant covered entity, or between different organisations along the supply chain.
The organisation must be able to demonstrate that they monitor the success of their security programme and that they conduct audits of systems and processes to ensure that they meet the organisation’s needs. HIPAA guidance doesn’t specify how organisations can demonstrate this, but one way to demonstrate the effectiveness of the programme and to verify that all systems are in compliance is through a thorough security assessment.
Furthermore, the organisation is required to carry out a documentation audit to ensure the documentation required by HIPAA is maintained and accurate.
As mentioned in element 3 above, HIPAA places great emphasis on employee responsibilities towards protecting health information. Here, organisations are expected to demonstrate that security responsibilities are reflected in employee contracts and associated disciplinary policies and guidelines, which must make it clear to all employees that failure to follow security policies will be disciplined.
The organisation must have an incident response plan which contains procedures for responding effectively to a data breach or other reportable HIPAA violation.
HIPPA compliance for startups may feel like a long journey to take, but it is a necessary one if they work with any US-based organisation involved in any part of the healthcare system.
The important thing is to take it step by step and engage outside help if required. In addition, answering the questions that HIPAA asks can help the organisation become more secure overall, ultimately improving their standing with customers across all sectors.
Stay safe