More and more, consumers are relying on technology to manage their health-related needs. As a response to this trend, an increasing number of startups are launching new health tech products; the digital health tech space is projected to reach $456.9 billion by 2026 (Global Industry Analytics).

What can you do to stay relevant and position yourself as a leader in an increasingly competitive market? One critical piece involves ensuring your customers that their information is secure as it is transmitted across your platform. This is where HIPAA compliance comes in. As detailed below, it's a legal requirement, but it's much more than that.

Meeting HIPAA compliance also helps strengthen customers’ trust in your services by enhancing transparency around the security of your systems. That said, the road to compliance can seem winding and obstacle-filled, with the complexities causing confusion around where to start, how to organize information, who’s a covered entity and who’s not—the list goes on and on. Such confusion can result in even more time lost, frustrated resources, and ultimately, put your organization at a greater risk of HIPAA violations (which means a greater risk of lost revenue).

With all this in mind, we put together this resource to help clear up some of the mystery about HIPAA and set you on a smooth path to compliance.

How do I know if I need to worry about HIPAA?

The answer is actually quite straightforward — in a nutshell, if your product handles electronic protected health information, or ePHI, then you need to worry about HIPAA — but some of the terminology makes the details around compliance harder to decipher. If your organization is considered a covered entity or a business associate of a covered entity, you need to worry about HIPAA. But what’s a covered entity? And how do I know if I’m considered a business associate?

We’ll start with covered entities. A covered entity, by HIPAA definition, is an individual or organization that transmits any information in an electronic form in connection with a transaction for which HHS has adopted a standard. Put more simply, you’re a covered entity if you choose to submit or receive transactions electronically that are covered under HHS’s Electronic Transactions Standards. Covered Entities may be healthcare providers, health plans, or healthcare clearinghouses.

Often, healthcare providers and health plans do not actually carry out healthcare functions by themselves. Instead, they use the services of another person or business entity. Such persons or entities are referred to as business associates. business associates, as well as any subcontractors they may work with, are bound by the same HIPAA rules as covered entities.

Still uncertain? CMS.gov provides a tool to determine whether you’re a covered entity.

What does compliance actually mean for a startup?

HIPAA compliance means the flow of ePHI to, from, and within your product has been assessed and deemed to be secure in regards to protecting the privacy of users’ information. It also means you have documented policies and procedures, and your employees complete annual training and attestation on these policies and procedures.  

For the startup, HIPAA compliance is more than just a legal mandate. It serves as evidence to your customers that protecting their privacy is a priority, ultimately helping to build trust that can take companies years to realize.

If this all sounds similar to SOC 2, it is. There is significant overlap between the two compliance standards, so if you’re pursuing (or have already met the requirements for) SOC 2, you’re already a large portion of the way there. However, the HIPAA Security Rule requires a number of additional controls.

The HHS Office of Inspector General (OIG) created the Seven Fundamental Elements of an Effective Compliance Program list to help organizations assess their compliance. While this list should be considered the minimum requirements, it serves as a good barebones sort of starting point for building your compliance program.

The Seven Fundamental Elements of an Effective Compliance Program:

• Implementing written policies, procedures, and standards of conduct.
• Designating a compliance officer and compliance committee.
• Conducting effective training and education.
• Developing effective lines of communication.
• Conducting internal monitoring and auditing.
• Enforcing standards through well-publicized disciplinary guidelines.
• Responding promptly to detected offenses and undertaking corrective action.