There are a lot of things to consider for startups when it comes to them approaching their HIPAA compliance. The law can seem broad, vague, and certainly overwhelming especially for startup founders who may not have any prior experience with the requirements.
Accountable is a SaaS startup ourselves, so we understand the fast-paced challenges and risks that must be taken in order to be a successful startup. However, as a HIPAA compliance solution, we also know how significant the cost of noncompliance with the law is and how important those mistakes are to avoid. We’ll answer your burning questions and tell you the most important things that you need to know to start your startup in the right direction towards confidence in your compliance with HIPAA.
What is HIPAA?
The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 and has since been known as one of the most influential healthcare laws in the United States. HIPAA has been amended numerous times throughout the past 23 years, with each amendment slowly expanding it into the law that is recognizable to us today. It is made up of a few different pieces including the Privacy Rule, Security Rule, Enforcement Rule, HITECH Act, Breach Notification Rule, and finally the Omnibus Rule.
Among other goals and requirements, HIPAA sets the national standards for how protected health information (PHI) should be maintained in the healthcare industry and how it must be protected from unauthorized access or malintent. The law was enacted in 1996 when technology was at a much different level than it is now, so even with the updates to the law it can be tricky to translate this vague law directly into our technology and startup-driven world. Luckily we are both HIPAA experts and a startup ourselves, so we will help you bridge this gap.
Does My Startup Even Need to Comply with HIPAA?
Not all startups or companies, in general, are subject to complying with HIPAA and its many regulations and requirements. However, there are often organizations that think that they do not need to comply with HIPAA since they do not directly interact with patients, but in reality, that is not the distinguishing factor between having to manage HIPAA compliance and not having to worry about it. Here is the key question instead:
Do you Work With PHI (Protected Health Information)?
PHI, which stands for Protected Health Information, is any health information that can potentially identify an individual that is created, used, or disclosed in the course of healthcare operations. PHI can include information about the past, present, or future physical health or conditions of an individual, or the healthcare services that have been provided to that person. There are 18 identifiers for PHI which makes it extremely clear to see what is and is not classified as PHI and must be carefully protected by the company. These are the 18 Identifiers for PHI:
- Full names or last name and initial
- All geographical identifiers smaller than a state,
- Dates (other than year) directly related to an individual such as birthday or treatment dates
- Phone Numbers including area code
- Fax number/s
- Email address/es
- Social Security number
- Medical record numbers
- Health insurance beneficiary numbers
- Bank Account numbers
- certificates/drivers license numbers
- Vehicle identifiers (including VIN and license plate information)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including fingerprints, retinal, genetic information, and voiceprints
- Full-face photographs and any comparable images that can identify an individual
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
The rule of thumb is that if any of the information is personably recognizable to the patient or if it was utilized or discovered during the course of a healthcare service, it is considered to be PHI.
Have you Completed A Risk Assessment?
Another way to determine whether or not you are required to comply with all the aspects of HIPAA is to complete a risk assessment. Completing a thorough assessment of all company processes and handlings of PHI is a yearly requirement for the organizations under the HIPAA Security Rule, but could also be used as a tool to determine whether or not your startup is subject to the law in the first place.
A security assessment is a vital way to determine threats and vulnerabilities to Protected Healthcare Information (PHI) that could potentially result in a breach or complaint from a patient, both of which lead to OCR audits and investigations. HIPAA does not give specific instructions on what the risk assessment should contain so that this requirement can be flexible enough to fit both startups and large hospital groups alike. Regardless of your company’s particulars, your risk assessment must be a thorough and accurate audit of your businesses’ administrative, physical, and technical safeguards to identify vulnerabilities and risks to the integrity and sanctity of ePHI.
Here are Accountable, we offer a simple and free Risk Analysis tool that can start you down the path of determining your vulnerabilities and risks so that you can address them. Here is the process that we follow:
What Requirements Do I Need to Follow?
HIPAA is made up of a few different rules that all organizations must comply with completely in order to reach a place of HIPAA compliance. Here at Accountable, we break those requirements found throughout the 100+ page document into 5 simple steps.
First, each company needs to assign a Privacy Officer(s) who will be the main person overseeing the process of safeguarding all forms of protected health information that you deal with. Then the Privacy Officer(s) will work their way through our extensive risk assessment in order to identify any vulnerabilities or weaknesses in the security of PHI through the way that your company operates. This risk assessment will be then be evaluated by our dedicated HIPAA specialists so that you can have full confidence that you have addressed every part of it that needs to be.
At this point, your privacy officer will be charged with inviting every single employee who may have access to PHI at some point into the system to complete their HIPAA training. People commonly believe that employee HIPAA training is the only aspect that it takes to reach full compliance, and while it is an important step, it is not the only step! At Accountable we offer unlimited training credits to our customers across all price plans so that you can feel confident that the entirety of your staff has been fully trained.
Once all your employees have been invited to complete their training, you next need to ensure that you sign a business associate agreement (BAA) with each and every third party organization that you work with that may provide them with access to patient PHI in some capacity. A business associate agreement is a written agreement that essentially just lays out each party’s responsibilities and liabilities when it comes to PHI. Do not sign a BAA with anyone until you have the confidence that you are HIPAA compliant or else you are opening yourself up to the potential of taking the hit for a breach that you should not be entirely liable for.
Fifth and finally for Accountable’s steps towards HIPAA compliance is adopting the necessary policies and procedures. We provide your organization with all of the policies and procedures that you are required to have under HIPAA. We’ve teamed with a leading HIPAA law firm to do the leg work of handcrafting each of these policies so that you don’t have to. This simplifies the process down so that all the Privacy Officer needs to do is go through and adopt the specific policies that apply to your organization.
What Happens If I’m Not HIPAA Compliant?
If you are not compliant with HIPAA and also don’t ever experience a single breach, data leak, employee mistake, or patient complaint then you will likely away by the skin of your teeth. Audits and fines from the OCR typically follow an individual reporting your lack of compliance in some manner. However, if you are willing to take that risk that you will avoid an audit, then you are equally opening yourself up to the full potential of the cost of HIPAA noncompliance.
HIPAA violations most commonly occur as a result of unencrypted data, employee errors, or breaches related to theft. If you suffer a violation of the law as a result of one of these topics, or any other situation, then you are now subject to a complete and thorough investigation from the HHS (Health and Human Services). An audit or investigation will result in a penalty being levied based upon your company’s level of negligence that led towards this violation. We typically see that the higher the negligence, the higher the dollar amount of the fine.
HHS fines range from $100 to $50,000 per individual violation with a maximum being set for $1.5 million dollars per year for violations. Down below is the tiered chart of the potential fines that can be sent to you.
How Much Time & Money Will It Take to Become Compliant?
The amount of time and/or money that you spend on your HIPAA compliance will vary drastically depending on how you choose to approach your compliance. If you use a consultant, it could be tens of thousands of dollars. And on the other end, if you try to do it entirely on your own, it may not represent much of a monetary cost, but it will be extremely time-consuming and likely not as thorough as it should be. The most common way to address HIPAA compliance as of late is to utilize a software solution that specializes in HIPAA compliance and can simplify this vague and complicated process for you.
Are There Solutions To Make HIPAA Compliance Easier?
As addressed above, HIPAA compliance can be costly, time-consuming, or both depending on the method that you have elected to take. Luckily, there is an alternative option that is drastically less expensive than a consultant, takes far less time than doing it all yourself, AND has additional benefits you might not even know you need.
That solution for you is Accountable. We are a software-as-a-service company that has created a complete solution to HIPAA compliance that is simple to understand, user-friendly to utilize, and reasonably priced. This solution covers the key yearly risk assessment, unlimited employee training, signing of business associate agreements, and a full library of the policies and procedures you may need to adopt for your compliance. Check out our free trial through our homepage to get an idea of what we’re about.
As a software startup ourselves, we get you. We get the challenges, triumphs, and priorities that it takes to create a successful startup. Don’t let HIPAA become a roadblock to your success, but rather partner with another startup to walk you through all the steps towards full confidence in your HIPAA compliance.