What is HIPAA and Why should we care?
HIPAA stands for the Health Insurance Portability and Accountability Act, which is set up to regulate how healthcare providers store, record, manage and share the private healthcare information of US citizens. Individuals or organizations that provide services to those organizations that come into contact with PHI are called Business Associates. If your organization intends to work with a healthcare provider and your services could include storing, transmitting, or manipulation of PHI, you’re going to be considered a Business Associate.
Related: What is Protected Health Information
Does my Startup need to be HIPAA Compliant?
HIPAA was originally conceived for safeguarding physical PHI like X-rays and paper copies, in a time when technology like high-speed internet, smartphones, wearable technology, and healthcare apps were considered to be Star Trek caliber Science Fiction. Because it didn’t foresee the type of technology we interact with everyday, it can be challenging to determine whether or not your health app is utilizing PHI or not.
The good news is that determining whether or not your app or software is using consumer health information or PHI (and will fall under HIPAA) is relatively simple: Ask if the product you are developing will utilize information that will be used by a covered entity in the course of providing healthcare. If the answer is yes: then you will need to be HIPAA compliant as you are dealing with PHI. If the answer is that you do not plan on sharing it with a covered entity, you do not need to be HIPAA Compliant - yet. However, you should take measures to safeguard this information, as the trend in mobile health data is moving towards sharing that information with healthcare providers. Besides, you never know how the regulatory landscape will change in the future.
Most startups are in the business creating software to support other businesses, so if your customers come into contact with PHI by virtue of being a covered entity or a business associate of them, it is possible that your business may come into contact with thousands of PHI records over the course of your day so it is critical that you know what you need to do to protect the security of that information in order to protect your business.
In order for your software to be HIPAA Compliant, you’ll need to annually complete risk assessments to identify security risks, implement policies and contingencies, train your employees, and arrange business associate agreements with any contractor or business who might be able to access PHI. Additionally, you need to make certain that the information you are entrusted with is encrypted and secure.
Understanding the Rules of HIPAA
There have been multiple updates to the HIPA act over the past two decades, each adding new layers of protection requirements:
The HIPAA Privacy Rule clearly defined how PHI can be used and disclosed. The rule set restrictions and details for the “what, when and under what circumstances” PHI can be used or disclosed. The main goal of this Privacy rule was to guarantee that an individual’s private health information was well protected but still exited within a system that allows the data to flow between the parties that need PHI in order to provide the best quality of healthcare to the patient.
Later, the HIPAA Security Rule addressed security requirements for Private Health Information that is used in electronic form. The Security rule set standards and guidelines intended to protect the security of electronic Protected Health Information (ePHI) and to maintain the confidentiality, integrity, and availability of ePHI. This is achieved by implementing proper administrative, physical, and technical safeguards within each organization.
HIPAA Breach Notification Rule The HIPAA Breach Notification Rule was a large expansion to HIPAA that requires covered entities to notify affected individuals; HHS; and, in some cases, the media of a breach of unsecured PHI.
But most importantly to startups, The HITECH act made business associates and even their own subcontractors directly liable for their own compliance with HIPAA. The HIPAA Omnibus Rule, in addition to editing and updating all of the previously passed rule, took compliance to another level by legitimately enforcing these requirements upon business associates.
Cost of Noncompliance for Startups
So what will happen to you if your startup isn’t compliant with HIPAA? For starters, you’ll pay. If you’re found to be in breach of any of HIPAA rules, your startup could be faced with some pretty severe fines, regardless of whether the violation was intentional. In the case of severe violations, those responsible could be hit with penalties of up to 10 years in prison.
At the lower end, each individual breach of PHI can cost your company $100 if the HHS determines the violation to be incidental, and if the HHS determines that wilful neglect was involved each violation can cost your organization $50,000, for a total max penalty of $1.5 million dollars. Think your startup can survive that? There are many mature organizations that couldn’t handle those penalties.
Become HIPAA Compliant
The only thing that is more challenging and complex than running a startup company is navigating the complexities of HIPAA Compliance. Fortunately for you, Accountable HQ was created for that purpose: We’ll help manage the HIPAA compliance of your startup, so you can focus on building your business. Our cloud base compliance solution will allow you to become fully compliant, as well as earn your company a HIPAA compliance certificate that will allow you to flaunt your status in your niche.