The Health Insurance Profitability and Accountability Act (HIPAA) dictates how patient data is to be stored and protected in the United States. Under this act, any organization that stores, processes, or transfers protected health information (PHI) must ensure that specific administrative, technical, and physical safeguards are in place. In short, by law, any organization or business that has access to personal health information must ensure that patient data is protected and HIPAA safeguards have been implemented.
Who Is Required To Follow HIPAA Regulations?
Startups and Software Development Companies
Any startups and software development companies that receive protected health information from covered entities (CE), including health providers, hospitals, and insurance companies, must ensure that they are in compliance with HIPAA.
As healthcare providers are considered covered entities, they must ensure that they are in compliance with HIPAA regulations. For this reason, all hospitals, doctor’s offices, telehealth platforms, and software platforms that provide patient care must be in line with HIPAA requirements at all times.
Health Plans, Insurers, and Clearinghouses
As health plans, insurers, and clearinghouses all manage PHI from a number of patients, they are also considered covered entities, and therefore, they must comply with HIPAA regulations at all times.
Why Should Startups Care About HIPAA?
It’s The Law
For an organization that collects and stores health information, failure to comply with HIPAA can lead to disastrous consequences, including large fines, sanctions, and a tarnished reputation. If the violation is severe, criminal charges can even be filed with a possible penalty of 1 to 10 years in prison. Becoming HIPAA compliant and maintaining HIPAA compliance standards can be a challenging task as organizations now, more than ever, heavily rely on electronic channels and cloud services to gather, store, and share confidential patient data.
It Is Required To Work With Healthcare Clients
When The HIPAA was originally passed by Congress in 1996, it strictly applied to covered entities (CEs) only. Covered entities include both people and industries involved with the treatment of patients, including those who send/receive healthcare payments, including physicians, dentists, hospitals, pharmacies, insurance companies, etc.
However, in 2013, The Omnibus Rule — which brought about changes to the Privacy and Security Rules — was passed which significantly expanded potential liability for covered entities. This rule extended accountability to any businesses that work for, or on behalf of CEs, and as a result, are involved in dealing with PHI — these organizations are referred to as Business Associates (BAs).
Business Associates are any entity (vendors, contractors, or hired subcontractors) that work on behalf of a covered entity to store or transmit PHI. In other words, if you’re a startup or software company developing a cloud solution, web application, or mobile app that records, stores, manages or shares PHI for/with/or on behalf of CEs, then HIPAA applies to you.
Why Achieve HIPAA Compliance?
Although HIPAA regulations are mandatory, becoming HIPAA compliant will benefit your startup in a number of ways, including:
Building Customer Trust
Becoming HIPAA compliant relays to the healthcare industry that your company has reliable measures in place to protect patient data. As such, HIPAA compliant startups are much more likely to reach a deal over non-compliant startups — not to mention, it’s illegal for an organization to sign a Business Associates Agreement (BAA) with a startup that’s not HIPAA compliant.
According to IBM, the healthcare industry loses roughly 7.3 million USD annually due to data breaches — that’s more than any other industry. It is critical that healthcare organizations work with companies and vendors that have an established security program, are addressing HIPAA security requirements and are not a risk to the organization.
Creates Opportunities For New Deals and Additional Revenue
While building a HIPAA security program may seem daunting, startups and software companies that are able to offer HIPAA compliant solutions to clients can offer premium solutions and software products to the healthcare industry. Startups may consider becoming HIPAA compliant in order to create a new revenue channel, attract and close larger deals with healthcare providers, insurers, and other healthcare entities. HIPAA compliance is a minimum requirement for entry into the healthcare vertical.
Prepares You for Security Questionnaires
Data privacy and security questionnaires are becoming increasingly common. As there is much at stake, questionnaires are increasing in length and complexity (with some including as many as 400 questions), making them much more of a burden for the startups that receive them. These questionnaires are typically designed to determine if a healthcare vendor has the following:
- Established administrative policies that are up-to-date, followed, and reviewed.
- Reliable controls implemented for managing technical safeguards
- Experience working with infrastructure and third-party services in a HIPAA required manner.
- Staff and user access limited to only those necessary.
- Provides reliable and trustworthy service without downtime.
- Follows all security protocols and has incident response and contingency plans defined, in case of emergency.
The good news is that after you have built your HIPAA compliance program, thanks to the amount of rigorous security testing involved, including risk assessment, you’ll be much more prepared to handle any questions thrown your way. As such, you’ll be able to impress even the strictest of clients.
Learn more about how you can prepare for security questionnaires in our Guide to Preparing For Security Risk Assessments (SRAs).
HIPAA Compliance For Startups In 3 Steps
1. Sign a Business Associates Agreement (BAA)
A Business Associates Agreement (BAA) is a signed agreement between a covered entity and business associate that specifies each party’s responsibilities when it comes to PHI. A covered entity, like a healthcare provider for example, enters into a BAA with a business associate (vendor) that dictates when said vendor may receive access to Protected Health Information (PHI). The contract must also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
Covered entities include any organizations that electronically transmit any protected health information (PHI) in connection with transactions for which HHS has adopted standards.
— Dash ComplyOps has helped countless businesses build HIPAA security plans around the AWS Shared Responsibility Model. Dash can help assist you when signing a Business Associates’ Agreement with AWS to ensure all of the necessary physical safeguards have been implemented.
2. Create Administrative Policies
Simply signing a BAA does not automatically ensure that an organization is deemed HIPAA compliant. In order to obtain compliant status, a HIPAA security program — including administrative policies and procedures —must be put in place.
Administrative policies and standard operating procedures are a key part of any HIPAA security program. Based on an organization and its IT infrastructure, these policies should clearly outline actionable security standards. For best results, teams handling PHI should define a set of administrative policies to cover the following topics:
Risk Assessment: All teams must perform a security risk assessment on an annual basis (at minimum), in order to be HIPAA compliant. Optimally, a team should develop a process for handling risk assessment and analysis. Risk assessment should be performed with the assistance of a third-party in order to avoid a biased assessment of an organization’s HIPAA security controls. Upon completion, security staff should then review the findings and remediate any potential compliance issues.
Security Roles: HIPAA states that all teams must appoint both a HIPAA security and privacy officer. Typically, a security officer is responsible for setting technical security standards, ensuring that all PHI data remains safely secured — in correlation with the HIPAA requirements. Conversely, a privacy officer is responsible for managing HIPAA administrative standards throughout an organization, including conducting staff training and reviewing and maintaining policies. Within smaller organizations, one individual may be responsible for both roles.
Staff Training: In accordance with HIPAA, teams must provide new employees with security training within 90 days of their employment; staff security and awareness training also must be conducted at least once, annually. Training can be conducted both internally, or with the assistance of a third-party solution. Teams should cover topics and questions such as: “What is considered PHI?”, “How does PHI need to be protected?”, and “What software and procedures are acceptable for accessing PHI?”.
Incident Response Plan: Teams are required to develop an incident response plan that can quickly be put into action should a security breach occur. An incident response plan should cover how staff and clients can go about reporting a potential security incident and set the standards for how a security team reviews incidents and resolves issues.
System Access: It is your team’s responsibility to set restrictions on access to protected health information and production systems. Access to PHI must be limited to the absolute minimum number of personnel. Your team’s policies should reflect required HIPAA technical standards including – authentication, automatic logoff, password requirements, and revoking employee access.
Staff Access: As required by HIPAA, all PHI must be physically secured. This means locks on all doors and entrances where PHI is stored on office devices. Regarding PHI stored on the cloud, an organization must have a signed Business Associates Agreement (BAA) that addresses staff access controls and physical safeguards provided by the cloud provider.
Disaster Recovery (DR) Plan: In order for an organization to be HIPAA compliant, backup and disaster recovery measures must be in place to ensure that PHI remains available in the case of data deletion or availability issues. In order to avoid these issues, teams should organize and periodically test their disaster recovery processes to ensure that PHI is backed-up properly and can be restored if accidentally deleted.
— Dash ComplyOps provides startups, healthcare organizations, and vendors with an all-in-one solution, geared toward building and managing HIPAA security programs in the cloud. Dash’s in-house team of compliance and cloud experts provide HIPAA cloud solutions that enable organizations to comfortably configure and manage HIPAA in Amazon Web Services — the market-leading cloud platform.
3. Set Technical Security Controls
Organizations that store, process, and/or transmit ePHI are required to implement security controls and comply with the HIPAA Security Rule. Both covered entities and business associates are responsible for appropriately safeguarding patient information.
This means that healthcare providers, software vendors, and startups that work with protected health information must address HIPAA Security Rule standards in order to maintain HIPAA Compliance.
Encryption: HIPAA requires that an organization encrypts its PHI both “at-rest” and “in-transit”. In short, all PHI data must be stored on encrypted drives and SSL/TLS standards must be followed when delivering data via the internet and other networks.
Limited Access: In order for an organization to be in compliance with HIPAA, access to PHI must strictly be limited to the lowest number of people necessary. In order to limit access to sensitive data, strict access control systems must be implemented in order to ensure that staff members do not have more access to PHI than is required to perform their duties. For optimal results, a team should implement role-based access control for all systems and applications that contain PHI data.
Audit Logging: In order to be compliant, HIPAA requires that all teams diligently collect all logs relating to PHI access and modification. Consider collecting all logs and events relating to PHI from cloud infrastructure, operating systems (OS), and application-level logs. Even logs containing PHI identifiers are considered to be sensitive PHI and must be encrypted accordingly with limited access only to necessary personnel.
Automatic Logoff: As stated by HIPAA, all systems that store PHI must have automatic logoff safeguards in place. In order to ensure PHI data remains safe from unauthorized eyes, teams must ensure that any workstations and devices that store PHI will automatically logoff should they remain unused for a specific period of time.
Detecting Unauthorized Access: In order to become HIPAA compliant, all organizations that handle PHI must have integrity controls in place to ensure that PHI data is not improperly modified or disposed of. Intrusion detection solutions (IDS) that scan for vulnerabilities and detect any potentially malicious behavior offer a great way for teams to limit unauthorized access to production services.
Monitor and Maintain Compliance With Dash
Dash ComplyOps can help your team with the implementation of all necessary technical safeguards, including disaster recovery (DR), encryption, vulnerability scanning, and intrusion detection — everything needed to monitor compliance configuration in the cloud.
Dash enables your team to create custom security policies that are enforced through continuous compliance monitoring. Teams can see when cloud resources conflict with security policies or fall out of compliance with HIPAA and act accordingly.
Typically, digital health companies need to be vetted and complete a vendor risk assessment before they can do business with hospitals and enterprise healthcare companies. Dash specializes in providing companies with the foundation needed to build and validate the security posture of your company. Consider working with Dash to create security policies and share compliance reports and internal controls with hospitals and enterprise partners.
Organizations that have worked closely with Dash have reported an increased understanding of their overall security programs, allowing them to perform better on security risk assessments and, in turn, experience a much quicker procurement process with hospitals and health systems.