What you need to know about HIPAA when starting a health tech startup
The healthcare industry is one of the fastest growing sectors in the world, with a market value of 7.4 billion in 2022. If you’re looking to get into this space, you will quickly find out that there are a lot of regulations and legalities to consider. When starting a health tech company, it is important to be aware of The Health Insurance Portability and Accountability Act (HIPAA) regulations. HIPAA is a set of federal laws that imposes strict requirements for how privacy and security protections for individuals' medical records and other personal health information (PHI) can be stored, used, and transmitted.
In this blog post, we will explore what HIPAA is, how it can affect your business' operations, and the steps you can take to ensure that you are meeting the essential legal requirements and protecting the privacy of your customers. By knowing how these rules can affect your startup, you can avoid violations that result in costly fines, and confidently pursue your health tech venture.
The basics of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and is enforced by the U.S. Department of Health and Human Services (HHS). The law protects the privacy of patient health information and sets national standards for protecting the confidentially, integrity, and availability of Protected Health Information (PHI). If you're starting a health tech business, it's important to be aware of HIPAA and how it affects your business. Here are some key things to keep in mind:
HIPAA applies to "covered entities" which include healthcare providers, insurers, and clearinghouses. If your startup provides any type of health-related service or product, you likely fall under this category.
HIPAA requires covered entities to take measures to protect the confidentiality, integrity, and availability of protected health information (PHI). This includes implementing physical, administrative, and technical safeguards.
Covered entities must also ensure that their business associates (i.e. contractors or vendors) who have access to PHI are compliant with HIPAA requirements.
Violations of HIPAA can result in civil or criminal penalties, so it's important to make sure you're in compliance from the start.
If you're not sure whether or not your startup is subject to HIPAA, we recommend consulting with a healthcare attorney or another expert on the matter.
How HIPAA applies to health tech startups
HIPAA has become more essential during the latest decade, as technology becomes more integrated into healthcare where organizations look to leverage digital technology to store, share and analyze health data. Thus, making it important to understand how HIPAA regulations apply to the collected data.
When it comes to health tech startups, there are a few key things you need to know about HIPAA in order to ensure you are compliant. First and foremost, HIPAA applies to all protected health information (PHI) that is created, received, maintained, or transmitted in any form or medium. This includes electronic PHI (ePHI), which is any PHI that is transmitted electronically, as well as physical documents that contain patient information.
Startups need especially to be mindful of HIPAA compliance when concerning ePHI since the information can easily be mishandled if proper security measures are not taken. To give an example, if ePHI is not encrypted when transmitted, it could potentially be intercepted and read by anyone with malicious intent. Moreover, if ePHI is not encrypted at rest and stored on a secure server or device, it could be accessed without the need for proper authorization.
In order to protect ePHI and ensure HIPAA compliance, you need to put in place security measures and protocols, as well as periodically auditing your practices. You must implement administrative, technical, and physical safeguards such as encryption, control of access, and activity logging.
The penalties for violating HIPAA
If you are found to have violated HIPAA, you may be subject to civil and/or criminal penalties. Civil penalties can range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for violations of the same provision. Criminal penalties can include up to 10 years in jail and/or a fine of up to $250,000.
What startups need to do to comply with HIPAA
When it comes to meeting HIPAA compliance requirements for startups, there are some essential factors to consider. Security of Protected Health Information must be a top priority, with physical safeguards in place to protect data center servers and employee workstations as well as encryption when PHI is transmitted via email or file transfer.
Furthermore, companies must have strict rules concerning PHI accessibility. This not only comprises making sure that only people with permission can get access to it, but also having tactics in hand for situations where unauthorized persons attempt to access PHI (for instance, through a phishing attempts). It is critical to remember that adhering to HIPAA is an ongoing activity and not something done once. That's why it's essential for companies to take the time and effort to frequently evaluate their compliance level and make modifications or corrections as needed.
Here are some best practices we recommend:
- Implement 2-factor authentictaion (sometimes also known as multi-factor authentication)
- When possible, require access through VPN for PHI
- Set short-term sessions where PHI may be accessed, e.g. force users to have to re-login every 24 hours, to reduce risk of exposure if any accounts are hacked without your knowledge
- Designate an office responsible for administering compliance and training, especially when onboarding new employees or contractors
- Sign a BAA with anyone who works on your software, whether to do software development, or using the tools, if there is any way they can access PHI. It doesn't matter if access is not required for them to do the work - if they have access, they are a covered entity under HIPAA.
- Reach out for more recommendations!
We have experience working as a Business Associate (covered entity) with many health tech startups, and actively enforce HIPAA best practices. If you are working in a health-tech business or just starting out, contact us and we will schedule a meeting.