5 Things Startups Need to Know About HIPAA Compliance

More and more, consumers are relying on technology to manage their health-related needs. As a response to this trend, an increasing number of startups are launching new health tech products; the digital health tech space is projected to reach $456.9 billion by 2026 (Global Industry Analytics).

What can you do to stay relevant and position yourself as a leader in an increasingly competitive market? One critical piece involves ensuring your customers that their information is secure as it is transmitted across your platform. This is where HIPAA compliance comes in. As detailed below, it's a legal requirement, but it's much more than that. Meeting HIPAA compliance also helps strengthen customers’ trust in your services by enhancing transparency around the security of your systems. That said, the road to compliance can seem winding and obstacle-filled, with the complexities causing confusion around where to start, how to organize information, who’s a Covered Entity and who’s not—the list goes on and on. Such confusion can result in even more time lost, frustrated resources, and ultimately, put your organization at a greater risk of HIPAA violations (which means a greater risk of lost revenue).

With all this in mind, we put together this resource to help clear up some of the mystery about HIPAA and set you on a smooth path to compliance.

How Do I Know If I Need to Worry About HIPAA?

The answer is actually quite straightforward—in a nutshell, if your product handles electronic protected health information, or ePHI, then you need to worry about HIPAA—but some of the terminology makes the details around compliance harder to decipher. If your organization is considered a Covered Entity or a Business Associate of a Covered Entity, you need to worry about HIPAA. But what’s a Covered Entity? And how do I know if I’m considered a Business Associate?

We’ll start with Covered Entities. A Covered Entity, by HIPAA definition, is an individual or organization that transmits any information in an electronic form in connection with a transaction for which HHS has adopted a standard. Put more simply, you’re a covered entity if you choose to submit or receive transactions electronically that are covered under HHS’s Electronic Transactions Standards. Covered Entities may be healthcare providers, health plans, or healthcare clearinghouses.

Often, healthcare providers and health plans do not actually carry out healthcare functions by themselves; instead, they use the services of another person or business entity. Such persons or entities are referred to as Business Associates. Business Associates, as well as any subcontractors they may work with, are bound by the same HIPAA Rules as Covered Entities.

Still uncertain? CMS.gov provides a tool to determine whether you’re a Covered Entity.

What Does Compliance Actually Mean, for a Startup?

HIPAA compliance means the flow of ePHI to, from, and within your product has been assessed and deemed to be secure in regards to protecting the privacy of users’ information. It also means you have documented policies and procedures, and your employees complete annual training and attestation on these policies and procedures.  

For the startup, HIPAA compliance is more than just a legal mandate; it serves as evidence to your customers that protecting their privacy is a priority, ultimately helping to build trust that can take companies years to realize.

If this all sounds similar to SOC 2, it is. There is significant overlap between the two compliance standards, so if you’re pursuing (or have already met the requirements for) SOC 2, you’re already a large portion of the way there. However, the HIPAA Security Rule (detailed below) requires a number of additional controls.

The HHS Office of Inspector General (OIG) created the Seven Elements of an Effective Compliance Program to help organizations assess their compliance. While this list should be considered the minimum requirements, it serves as a good barebones sort of starting point for building your compliance program.

The Seven Fundamental Elements of an Effective Compliance Program:

1. Implementing written policies, procedures, and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicized disciplinary guidelines.
7. Responding promptly to detected offenses and undertaking corrective action.

How Does HIPAA Compliance Help Me?

When you invest in obtaining HIPAA compliance, you’re communicating to your customers (and potential customers) that you care about their privacy and can be trusted; it truly is that simple. Building that trust with potential customers is essential to them becoming loyal customers and even evangelists for your brand, resulting in more revenue. Achieving compliance serves as proof that you have taken the steps to protect your customers’ information. Breaches may still occur, but having taken those steps make them far less detrimental to your business.

From a revenue standpoint, prioritizing becoming HIPAA compliant now can save you money later; non-compliance fines can be very expensive, taking money that could be used to expand your employee base and grow your business. Responding to a HIPAA complaint also takes time; if a complaint is filed against you, you’ll need to supply documentation to the OCR (Office for Civil Rights—the department that enforces the HIPAA Privacy & Security Rules) including but not limited to your company’s policies and procedures and risk assessment information. All of this obviously involves resources to gather this information, not to mention the added stress of the complaint itself. By prioritizing HIPAA compliance, you can save yourself this resource strain, stress, and of course, risk of steep monetary penalties that ultimately could cripple your business (up to $50,000 per violation).

Where and How Do I Get Started?

Actual requirements for HIPAA compliance depend on the size and details of your business and products. But a good first step, regardless, is to become familiar with the HIPAA Privacy Rule, as well as the Security Rule, which is limited to ePHI. The Privacy Rule is the portion of HIPAA that actually requires covered entities and their business associates to establish the appropriate safeguards for protecting the privacy of PHI. The HHS.gov website provides an exhaustive summary of the Rule; we’ve outlined below some of the key elements you should be aware of but urge you to review it in greater detail.

The Privacy Rule protects videos, images, and any other information containing identifiable health information, including but not limited to the individual’s past, present, or future health or condition, as well as common identifiers such as name, address, date of birth, and Social Security number. It also outlines the circumstances in which an individual’s ePHI may be used or disclosed. These include:

• When requested to do so by court orders, court-ordered warrants, subpoenas, and administrative requests
• To facilitate treatment, payment, or healthcare operations

Any other disclosures of PHI require the covered entity to obtain written authorization prior to the disclosure.

The Security Rule lays out administrative, physical, and technical safeguards pertaining to ePHI. These safeguards are explained below:

Administrative Safeguards

A covered entity must:

• Identify and analyze potential risks to ePHI, and implement security measures to reduce such risks to a reasonable level.

• Designate a security official for developing and implementing policies and procedures related to security.

• Implement policies and procedures for authorizing role-based access to ePHI when such access is appropriate.

• Provide for appropriate authorization and supervision of workforce members who work with ePHI. A covered entity must also train all workforce members regarding security policies and procedures, and have and apply appropriate sanctions against members who violate its policies and procedures.
• Perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

Physical Safeguards

A covered entity must:

• Limit physical access to its facilities while ensuring authorized access.
• Implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity must also implement policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, ensuring appropriate protection of ePHI.
  
  

Technical Safeguards

A covered entity must:

• Implement technical policies and procedures that allow only authorized persons to access ePHI.

• Implement hardware, software, and/or procedural mechanisms to record and examine access and activity in information systems that contain or use ePHI.

• Implement policies and procedures, and confirm with electronic measures, to ensure that ePHI is not improperly altered or destroyed.
• Implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.
  
  

Note that covered entities are required to comply with every Security Rule “Standard;” however, certain implementation specifications are deemed “addressable,” while others are “required.” The “required” implementation specifications must be implemented. “Addressable” does not mean optional; however, covered entities may determine whether the addressable implementation specification is reasonable and appropriate. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if that alternative measure is deemed reasonable and appropriate. (HHS.gov)

Already familiar with the Privacy and Security Rules? Assigning a Security Officer—someone charged with developing and implementing security policies and procedures for your organization—is a critical second step in meeting compliance requirements (or, a first, as then you could just pass the above along to them!).

How Long Will This Take?

The time it takes to achieve HIPAA compliance depends largely on the size, scope, and complexity of your business and product(s) and how much documentation you already have in place. It also depends on whether you have someone from your organization assigned as a Security Officer (and, another assigned as a Privacy Officer, to develop your compliance program) for overseeing the implementation of the administrative, physical, and technical safeguards of the Security Rule.

Once these things are in place, it should take on average around six weeks (again, depending on a number of factors related to your organization) to become HIPAA compliant.

Regardless of where you are in the HIPAA compliance process, you can get started with Strike Graph’s platform immediately. Contact us to learn more about how Strike Graph can help your journey to compliance run more smoothly, easily, and quickly.