How to stay HIPAA-compliant for a HealhTech SaaS. HIPAA Explained

Introduction

Health tech is booming, right? But as I mentioned previously in my posts, you need to remember that things get more complex when you're in a regulated market. And an obvious regulation of the Health-tech niche is related to personal health-related data. HIPAA is something we hear very often.

Let's find out how to build a Health Tech Product which will not provoke violations and regulatory fines appearance - in other words, which will be HIPAA compliant.

What Is HIPAA Compliance?

First of all - what is HIPPA and how to be compliant with it?

HIPAA stands for the Health Insurance Portability and Accountability Act and regulates how healthcare providers and other business entities record, store, manage and share a US citizen’s private and personal medical data.

Who needs to be HIPAA Compliant?

Now in order to understand who is subject to HIPAA compliance requirements for protected health information (PHI), I suggest combining them into 3 groups:

1. Covered entities — are directly involved in creating and transmitting PHI by performing treatment or other procedures and accepting payments for health services. These organizations are subject to a full scope of HIPAA regulations.

Examples include doctors, clinics, psychologists, dentists, pharmacies, and health insurance companies.

2. Business associates — organizations that encounter PHI from covered entities but aren’t involved in its creation. This type covers many enterprises providing services to the healthcare industry.

Examples include consultants, accounting firms, IT suppliers, and lawyers.

3. Subcontractors — organizations hired by business associates to help with specific niche roles. Since it also means that they could have some PHI access, meaning that HIPAA applies to them, as well.

Examples: Cloud hosting providers, shredding companies, etc.

HIPAA Compliance Checklist

All these 3 groups are ought to be HIPPA compliant and to do so official HIPAA e-source provides Compliance Checklist with regular updates. You are able to check the complete Checklist here while I’ll try to breakdown it below:

1. Dedicate responsible personnel

Tip: appoint a responsible person (or even a department) for compliance with HIPAA requirements.? In addition, it provides your business with a transparent chain of accountability.

2. Develop a HIPAA compliance administration plan

Tip: if you are planning to implement a long-term health-tech project, then your organization strategy should cover HIPAA-relevant fields.

3. Make sure your IT infrastructure meets the required standards

Tip: it is necessary to think through the PHI security since you cannot store this data wherever you want! Therefore PHI needs to be protected in two ways: technical and physical. In technical cases, it is necessary to monitor logs and supervise software. In terms of the physical case, you have to keep an eye on roles and restrictions, in other words - be careful about whom you provide data access to!

4. Maintain technologies used for PHI handling

Tip: periodic system update is a must. Outdated cybersecurity technologies might be easily hacked which will lead to data leakage.

5. Evaluate the current risk level

Tip: the only way to stay compliant is through periodic checks. That is why it is crucial to regularly perform security audits making risk analysis an ongoing matter.

6. Plan for emergencies

Tip: think about the backup plan that you would be taking in case of a cyberattack.

7. Investigate found violations

Tip: an investigation into each report about a found HIPAA violation must provide guidelines and a timeframe for its resolution. Usually, this step will follow after your audits, and an organization must resolve each discovered violation before it can be fully HIPAA compliant.

8. Document your findings

Tip: all HIPAA-related actions must be logged and recorded. Thus in case of any violations your company’s compliance will be transparent and valuable.

9. Find the right partners

Tip: if you lack the resources to manage everything in-house, there are security vendors specializing in compliance. Such companies can provide you with software that matches your setup and complies with all HIPAA requirements. However, you must ensure that they’re trustworthy and won’t accidentally leak your data themselves.

Getting familiar with the 4 HIPAA rules

Tip: HIPAA provides 4 rules regarding patient data privacy and security. If you are looking forward to becoming HIPAA compliant, then I highly recommend you to get familiar with these rules!

HIPAA Privacy And Security Rules

Speaking of these 4 rules, you can also still read more about them on the official HIPAA website by clicking here. But don't worry, I'm still here to help sort things out.

1. HIPAA Privacy Rule

HIPAA Privacy Rule – also known as the “Standards for Privacy of Individually Identifiable Health Information” – outlines a patient's rights regarding their health information and regulates who can access it.?

By the way, not all of it deals only with digital information. Parts of this rule also list the necessary documents and consent forms that must be filled out by those who are in charge of PHI. Additionally for the Privacy Rule, timeframes are irrelevant, as it applies to patient’s past, present, and upcoming visits, payments, or procedures.

2. HIPAA Security Rule

HIPAA Security Rule was implemented specifically to guide Covered Entities on the Administrative, Physical, and Technical Safeguards. So, while privacy defines procedures for keeping the data confidential, the security rule is about the technical methods to make it inaccessible for unauthorized individuals.

Three main fields are usually distinguished in terms of the Security Rule:

• Administrative — covers policies and procedures of PHI handling.
• Physical — covers premise management of locations storing PHI where PHI.
• Technical — covers the technology behind what’s done to PHI to keep its electronic version secure.

3. HIPAA Breach Notification Rule

HIPAA Breach Notification Rule describes in detail the procedure for dealing with data leaks. In terms of this rule we assume that it’s better to have a prepared plan of what to do in case of a hacker emergency. It defines how to notify the affected patients and what steps to take to limit the damage.

The steps are as follows:

• Affected individuals notification plan. Affected patients have to receive written notices about what has happened with their data.
• Public disclosure plan. In most cases, the affected organization has to issue a public statement in primary news media sources.
• The timeframe is two months. It’s imperative by law to disclose findings of a data breach under 60 days.
• Inform the Secretary of Health. If the incident affects more than 500 people, the report submission timeframe is 60 days. If it affects less than 500 people, the timeframe extends to the end of the year.

3. HIPAA Omnibus Rule

HIPAA Omnibus Rule is one of the most recent additions which is supposed to strengthen the protection of PHI, especially in electronic form, as well as give patients more access to their individual health information.

To ensure that the organization won’t have any problems with this point. It’s necessary to align safety standards used internally and externally. Closer alignment of risk assessment and compliance procedures is also needed.

Other Health-related acts

Even though HIPAA may seem as a tough and overwhelming challenge, trust me - those companies that choose to push through are the ones we will be talking about in the coming years!?

Plus, it’s safe to say that this health-tech trend is popular not only within the US. Other countries around the world have different rules that require similar consideration. In Canada, for example, there’s PIPEDA (the Personal Information Protection and Electronic Documents Act), and in the EU, GDPR (General Data Protection Regulations).?

Although data protection rules are quite similar all around the world, there is still a list of differences:

HIPAA vs PIPEDA

1. Both laws govern how organizations can collect and use personal data from individuals or customers for business purposes;
2. Each also sets guidelines around how information should be protected throughout its lifespan;
3. Both require organizations to be accountable for the personal data they have under their management;
4. And, both laws state that individuals must consent before an organization can collect, use, or share any of their information unless it's legally required (HIPAA) or doing so is unjustified (PIPEDA).
5. The most significant difference between HIPAA and PIPEDA, however, lies more in what each act protects. HIPAA's primary concern is PHI, while PIPEDA focuses on all types of personal data, including health information.

HIPAA vs GDPR

1. Both laws govern how organizations can collect and use personal data from individuals or customers for business purposes;
2. HIPAA sets standards for covered entities and their business associates while GDPR sets compliance standards for all entities that fall within its scope;
3. HIPAA allows disclosure of some PHI for “treatment purposes” without the consent of the individual while in terms of GDPR explicit consent is mandatory for the processing of personal health data (which falls under sensitive data);
4. Under the GDPR, individuals have the right to be forgotten (or to have their data deleted upon request), however HIPAA does not grant this right;
5. Speaking of data breaches, in case of GDPR the Supervisory Authority must be notified within 72 hours. Affected persons must also be notified. At the same time organizations must protect PHI and limit disclosure under the HIPAA Privacy Rule. Covered entities must also notify affected individuals of security breaches. If more than 500 people are affected, both affected individuals and the Department of Health must be informed within 60 days.

Conclusion

If you think about it, everything that surrounds us today, that we cannot imagine our lives without — shopping, banking, delivery, entertainment — has become mobile. Therefore, it is not surprising that healthcare consumers are increasingly relying on technology to manage their healthcare needs.

But with great demand comes great responsibility. Since nowadays data security is insanely important, it is crucial to be compliant with the healthcare industry laws and rules. That’s why I highly recommend getting familiar with health-related acts and regulations in order to make sure that your business is both trusted by the users and transparent to the authorities.