A primer on who is bound by HIPAA and how to maintain compliance over time
One of the most important elements of building digital products in healthcare is also the least well understood: HIPAA compliance. While the term is ubiquitous, the ins and outs of how HIPAA compliance applies to different organizations can be quite complex. This is caused in part by the lengthy, jargon-filled documentation and in part by the incentive of HIPAA consultants and auditors to keep the laws as opaque as possible.
We’ve put together a guide to help break HIPAA guidelines down into digestible pieces so you can walk away with a clear understanding of how your business or practice should protect patient health data.
Please note: This is not legal advice and should not be construed as such. Every individual and entity should work with proper and credentialed legal representation to plan and validate their own compliance programming.
Let’s start with the basics: What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act. The federal law was passed in 1996 to protect patient privacy by establishing standards around the use of sensitive health data. HIPAA’s guidelines restrict the use of sensitive health information—referred to as “protected health information”—by providers, payers, third-party software or service providers, or any other company that comes into contact with patient data in a healthcare setting. To put it simply, the law seeks to keep patient data out of the wrong hands and used for the wrong purposes.
There are several terms used in the HIPAA standards that are important to understand. Here’s a short glossary:
Now that we’ve covered the basics, let’s move on to the most common question we receive from healthcare business leaders: How do I know if I’m subject to HIPAA?
This guide is written for two groups who are subject to HIPAA standards: Organizations directly handling PHI (“covered entities”) and companies who provide services to those organizations (“business associates”). Here’s a bit more detail about each:
If you provide services or software in the healthcare industry, you’ve likely been asked to execute a Business Associate Agreement (BAA). The BAA essentially means that you are accepting responsibility (and liability) for the PHI to which you have access and agreeing to comply with the HIPAA rule. A few important notes about BAAs:
What about consumer health brands?
Many virtual health companies offer direct-to-consumer (DTC) products or services outside of traditional healthcare clinics or health systems. If your business fits into this category, you may not be considered a covered entity and therefore may also not be subject to HIPAA. But there are three important caveats to consider here:
At a high level, becoming HIPAA compliant involves reviewing several different aspects of the business:
There is a common misconception that HIPAA compliance is all about technical security. But in fact, most HIPAA standards have to do with non-technical security best practices. HIPAA requirements, when properly met, reduce both your liability for legal non-compliance as well as your risk of experiencing a data breach. As it turns out, one of the most common causes of data breaches is a lost laptop or phone that hasn’t been secured correctly.
The best way to prevent risks is to build strong organizational awareness and empower every member of your organization to take ownership to prevent risks. Although it may seem limiting, HIPAA actually allows for a lot of flexibility in how organizations comply. This can be beneficial because it allows companies to comply in a way that works best for them. On the flipside, however, it can also be overwhelming to navigate HIPAA without clear guidance on exactly what to do. We’ve put together the following checklist to help you find a compliance strategy that works best for your business. This is by no means a comprehensive list, but it is a good place to start to meaningfully reduce your risk.
The following checklist guides you through steps you can take to reduce risk of HIPAA violations in your organization.
❏ Form a HIPAA Working Group
Even if your organization is just getting off the ground, you should create a dedicated HIPAA working group. This group typically consists of a senior executive such as your CEO and another individual who can act as security officer if a formal role does not yet exist. Without clearly assigning HIPAA responsibilities within an organization, these measures can fall through the cracks.
❏ Take Inventory of PHI
First take stock of what information you are storing, and what of that information is PHI. This includes any personally identifiable health information. This includes health records, health histories, lab test results, and medical bills with patient identifiers such as names, addresses, and other information that could be used to identify individuals such as email addresses. It generally includes any health information which can be associated with an individual.
Next, identify where and how you store that PHI. You are responsible for two key areas of information security:
This includes applications and databases that are built in-house as well as Saas tools your employees use and hardware systems like phones and laptops. And don’t forget the non-digital mediums—printed or hand-written PHI is no exception.
❏ Review Third-Party Systems
Any third-party systems or software that touch PHI must also be managed responsibly. Third-party vendors who touch PHI should all sign Business Associate Agreements (BAAs) to ensure that they are held to HIPAA standards. If a third-party is unwilling to sign a BAA, you should not provide them access to PHI. This might mean changing how your application interfaces with third-party systems such as those that support app features including email, push notifications, or video streaming delivery.
Use the “minimum necessary” principle when giving access to systems with PHI—this is a good rule for protecting confidential information more broadly. It means that individuals (or third-party companies) should be given the minimum amount of data access necessary for them to complete their job. This access should also be managed carefully when offboarding third-party services or employees. There should be a structured and documented process for giving and withdrawing access to each part of the system.
One common area of confusion that we hear about is application hosting. While the major cloud providers offer HIPAA compliant services, it’s important to understand which responsibilities still belong to your company if you choose one of these providers. There are also many compliant third-party hosting companies which help you fulfill your responsibility in securing cloud based PHI.
❏ Set Employee and Contractor Guidelines
Pre-employment: It’s important that you have a clear written agreement with employees before they start working with PHI. The agreement should explicitly state that confidential information you share with them will remain confidential. This is true of both full-time employees and contractors.
Training: All employees and contractors should be trained in order to ensure compliance. This training should include basics of HIPAA as well as the role each employee should play in maintaining compliance.
During employment: Each member of the organization should work from a secure, protected piece of hardware (e.g. laptop, tablet, phone). It’s easiest to secure workstations before giving equipment to the employee to ensure that all appropriate measures are taken.
Post-employment: When an employee or contractor leaves the organization (quits or is fired), make sure that you have a structured off-boarding process. This includes things like removing access to accounts across digital applications and collecting any hardware or keys.
❏ Secure your Physical Spaces
Physical access is one of the easiest ways in which an attacker can breach confidential information. Consider the following protocols:
❏ Manage your Internal Application
Managing an internal application is also key to compliance for those organizations whose services are delivered through a mobile or web app. Consider the following app best practices:
❏ Perform a Risk Assessment and Gap Analysis
A risk assessment is a formal way of cataloging all risks faced by an organization. Gap analysis helps you overlay corresponding organizational processes over HIPAA requirements to identify any gaps or areas of concern. Together these analyses help demonstrate that all risks have been mitigated by appropriate security measures.
If you have ideas about how to make this guide more useful or accurate, please email firstname.lastname@example.org with your feedback.