More and more, consumers are relying on technology to manage their health-related needs. As a response to this trend, an increasing number of startups are launching new health tech products; the digital health tech space is projected to reach $456.9 billion by 2026 (Global Industry Analytics).
What can you do to stay relevant and position yourself as a leader in an increasingly competitive market? One critical piece involves ensuring your customers that their information is secure as it is transmitted across your platform. This is where HIPAA compliance comes in. As detailed below, it's a legal requirement, but it's much more than that. Meeting HIPAA compliance also helps strengthen customers’ trust in your services by enhancing transparency around the security of your systems. That said, the road to compliance can seem winding and obstacle-filled, with the complexities causing confusion around where to start, how to organize information, who’s a Covered Entity and who’s not—the list goes on and on. Such confusion can result in even more time lost, frustrated resources, and ultimately, put your organization at a greater risk of HIPAA violations (which means a greater risk of lost revenue).
With all this in mind, we put together this resource to help clear up some of the mystery about HIPAA and set you on a smooth path to compliance.
The answer is actually quite straightforward—in a nutshell, if your product handles electronic protected health information, or ePHI, then you need to worry about HIPAA—but some of the terminology makes the details around compliance harder to decipher. If your organization is considered a Covered Entity or a Business Associate of a Covered Entity, you need to worry about HIPAA. But what’s a Covered Entity? And how do I know if I’m considered a Business Associate?
We’ll start with Covered Entities. A Covered Entity, by HIPAA definition, is an individual or organization that transmits any information in an electronic form in connection with a transaction for which HHS has adopted a standard. Put more simply, you’re a covered entity if you choose to submit or receive transactions electronically that are covered under HHS’s Electronic Transactions Standards. Covered Entities may be healthcare providers, health plans, or healthcare clearinghouses.
Often, healthcare providers and health plans do not actually carry out healthcare functions by themselves; instead, they use the services of another person or business entity. Such persons or entities are referred to as Business Associates. Business Associates, as well as any subcontractors they may work with, are bound by the same HIPAA Rules as Covered Entities.
Still uncertain? CMS.gov provides a tool to determine whether you’re a Covered Entity.
HIPAA compliance means the flow of ePHI to, from, and within your product has been assessed and deemed to be secure in regards to protecting the privacy of users’ information. It also means you have documented policies and procedures, and your employees complete annual training and attestation on these policies and procedures.
For the startup, HIPAA compliance is more than just a legal mandate; it serves as evidence to your customers that protecting their privacy is a priority, ultimately helping to build trust that can take companies years to realize.
If this all sounds similar to SOC 2, it is. There is significant overlap between the two compliance standards, so if you’re pursuing (or have already met the requirements for) SOC 2, you’re already a large portion of the way there. However, the HIPAA Security Rule (detailed below) requires a number of additional controls.
The HHS Office of Inspector General (OIG) created the Seven Elements of an Effective Compliance Program to help organizations assess their compliance. While this list should be considered the minimum requirements, it serves as a good barebones sort of starting point for building your compliance program.
The Seven Fundamental Elements of an Effective Compliance Program:
When you invest in obtaining HIPAA compliance, you’re communicating to your customers (and potential customers) that you care about their privacy and can be trusted; it truly is that simple. Building that trust with potential customers is essential to them becoming loyal customers and even evangelists for your brand, resulting in more revenue. Achieving compliance serves as proof that you have taken the steps to protect your customers’ information. Breaches may still occur, but having taken those steps make them far less detrimental to your business.
From a revenue standpoint, prioritizing becoming HIPAA compliant now can save you money later; non-compliance fines can be very expensive, taking money that could be used to expand your employee base and grow your business. Responding to a HIPAA complaint also takes time; if a complaint is filed against you, you’ll need to supply documentation to the OCR (Office for Civil Rights—the department that enforces the HIPAA Privacy & Security Rules) including but not limited to your company’s policies and procedures and risk assessment information. All of this obviously involves resources to gather this information, not to mention the added stress of the complaint itself. By prioritizing HIPAA compliance, you can save yourself this resource strain, stress, and of course, risk of steep monetary penalties that ultimately could cripple your business (up to $50,000 per violation).
Actual requirements for HIPAA compliance depend on the size and details of your business and products. But a good first step, regardless, is to become familiar with the HIPAA Privacy Rule, as well as the Security Rule, which is limited to ePHI. The Privacy Rule is the portion of HIPAA that actually requires covered entities and their business associates to establish the appropriate safeguards for protecting the privacy of PHI. The HHS.gov website provides an exhaustive summary of the Rule; we’ve outlined below some of the key elements you should be aware of but urge you to review it in greater detail.
The Privacy Rule protects videos, images, and any other information containing identifiable health information, including but not limited to the individual’s past, present, or future health or condition, as well as common identifiers such as name, address, date of birth, and Social Security number. It also outlines the circumstances in which an individual’s ePHI may be used or disclosed. These include:
Any other disclosures of PHI require the covered entity to obtain written authorization prior to the disclosure.
The Security Rule lays out administrative, physical, and technical safeguards pertaining to ePHI. These safeguards are explained below:
A covered entity must:
A covered entity must:
A covered entity must:
Note that covered entities are required to comply with every Security Rule “Standard;” however, certain implementation specifications are deemed “addressable,” while others are “required.” The “required” implementation specifications must be implemented. “Addressable” does not mean optional; however, covered entities may determine whether the addressable implementation specification is reasonable and appropriate. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if that alternative measure is deemed reasonable and appropriate. (HHS.gov)
Already familiar with the Privacy and Security Rules? Assigning a Security Officer—someone charged with developing and implementing security policies and procedures for your organization—is a critical second step in meeting compliance requirements (or, a first, as then you could just pass the above along to them!).
The time it takes to achieve HIPAA compliance depends largely on the size, scope, and complexity of your business and product(s) and how much documentation you already have in place. It also depends on whether you have someone from your organization assigned as a Security Officer (and, another assigned as a Privacy Officer, to develop your compliance program) for overseeing the implementation of the administrative, physical, and technical safeguards of the Security Rule.
Once these things are in place, it should take on average around six weeks (again, depending on a number of factors related to your organization) to become HIPAA compliant.
Regardless of where you are in the HIPAA compliance process, you can get started with Strike Graph’s platform immediately. Contact us to learn more about how Strike Graph can help your journey to compliance run more smoothly, easily, and quickly.