HIPAA 101: (Almost!) everything you need to know

One of the most important elements of building digital products in healthcare is also the least well understood: HIPAA compliance. While the term is ubiquitous, the ins and outs of how HIPAA compliance applies to different organizations can be quite complex. This is caused in part by the lengthy, jargon-filled documentation and in part by the incentive of HIPAA consultants and auditors to keep the laws as opaque as possible. 

We’ve put together a guide to help break HIPAA guidelines down into digestible pieces so you can walk away with a clear understanding of how your business or practice should protect patient health data.

Please note: This is not legal advice and should not be construed as such. Every individual and entity should work with proper and credentialed legal representation to plan and validate their own compliance programming.

HIPAA 101

Let’s start with the basics: What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act. The federal law was passed in 1996 to protect patient privacy by establishing standards around the use of sensitive health data. HIPAA’s guidelines restrict the use of sensitive health information—referred to as “protected health information”—by providers, payers, third-party software or service providers, or any other company that comes into contact with patient data in a healthcare setting. To put it simply, the law seeks to keep patient data out of the wrong hands and used for the wrong purposes.

There are several terms used in the HIPAA standards that are important to understand. Here’s a short glossary:

• Protected Health Information (PHI): PHI refers to an individual’s health data that has been collected in a HIPAA-eligible healthcare setting. We’ll explain “HIPAA-eligible care” in the next section.
• Confidentiality: In this context, confidential means that PHI is only shared with those who are authorized to access it. 
• Integrity: Maintaining integrity under HIPAA means that information is an accurate reflection of patient health and has not been altered.
• Availability: Information should be readily available for those who need it and should be accurate. 

Now that we’ve covered the basics, let’s move on to the most common question we receive from healthcare business leaders: How do I know if I’m subject to HIPAA?

Is your org subject to HIPAA?

This guide is written for two groups who are subject to HIPAA standards: Organizations directly handling PHI (“covered entities”) and companies who provide services to those organizations (“business associates”). Here’s a bit more detail about each: 

• Covered Entities (CE): Covered entities interact directly with PHI and are therefore directly regulated by the HIPAA rule. This includes healthcare providers (hospitals, private practices, digital clinics) and healthcare payers (insurance companies). Covered entities can be individuals, non-profit organizations, for-profit businesses, or even state or federal agencies.
• Business Associates (BA): Providers and payers are not the only ones with access to patient data—oftentimes software and service providers also house or process PHI. Business Associates refer to those companies with access to patient information either through covered entities or other business associates. These BAs are typically asked to sign a Business Associate Agreement (BAA) to formalize data protection best practices. One example of a Business Associate is a cloud-based health record company who sells electronic health record software to clinics.

If you provide services or software in the healthcare industry, you’ve likely been asked to execute a Business Associate Agreement (BAA). The BAA essentially means that you are accepting responsibility (and liability) for the PHI to which you have access and agreeing to comply with the HIPAA rule. A few important notes about BAAs: 

• Your customers may insert additional requirements in a BAA beyond those required by law.
• Some covered entities will require you to sign a BAA even if it’s unlikely you will process PHI on their behalf—it may simply be required of every contractor.

What about consumer health brands?

Many virtual health companies offer direct-to-consumer (DTC) products or services outside of traditional healthcare clinics or health systems. If your business fits into this category, you may not be considered a covered entity and therefore may also not be subject to HIPAA. But there are three important caveats to consider here: 

1. If a DTC health company works with traditional providers or payers they are likely subject to HIPAA as a business associate. So even though your company may not be considered a covered entity, you may work directly with an organization or practice that is. 
2. Assuming point one above is not relevant, it’s important to consider end user expectations. Consumers in the US have become accustomed to the data privacy rules under HIPAA in any health-related space. Even though you may not be technically bound by HIPAA standards, your company should think carefully about how you treat user data and communicate those practices to consumers. 
3. A final point to keep in mind is whether there are any relevant state privacy laws which may impact your organization.These laws vary greatly from state to state so familiarizing yourself with expectations of states in which your company operates is key. 

How to get (and stay!) HIPAA compliant

At a high level, becoming HIPAA compliant involves reviewing several different aspects of the business: 

• Software Application Design: How is your platform designed? How do users or patients interact and share data? How do you communicate privacy and security policies to users?
• Technical Implementation: If you build software, how is the system built? Where is data stored and what third parties have access to it?
• Workforce and Organizational Practices: How do employees access data? What devices do they use? What security training and practices are in place?
• Physical Space: How is the physical work space organized and secured? How do you ensure that information is only shared with those who need it?

There is a common misconception that HIPAA compliance is all about technical security. But in fact, most HIPAA standards have to do with non-technical security best practices. HIPAA requirements, when properly met, reduce both your liability for legal non-compliance as well as your risk of experiencing a data breach. As it turns out, one of the most common causes of data breaches is a lost laptop or phone that hasn’t been secured correctly. 

The best way to prevent risks is to build strong organizational awareness and empower every member of your organization to take ownership to prevent risks. Although it may seem limiting, HIPAA actually allows for a lot of flexibility in how organizations comply. This can be beneficial because it allows companies to comply in a way that works best for them. On the flipside, however, it can also be overwhelming to navigate HIPAA without clear guidance on exactly what to do. We’ve put together the following checklist to help you find a compliance strategy that works best for your business. This is by no means a comprehensive list, but it is a good place to start to meaningfully reduce your risk.

Compliance in action

The following checklist guides you through steps you can take to reduce risk of HIPAA violations in your organization.

❏ Form a HIPAA Working Group

Even if your organization is just getting off the ground, you should create a dedicated HIPAA working group. This group typically consists of a senior executive such as your CEO and another individual who can act as security officer if a formal role does not yet exist. Without clearly assigning HIPAA responsibilities within an organization, these measures can fall through the cracks. 

❏ Take Inventory of PHI

First take stock of what information you are storing, and what of that information is PHI. This includes any personally identifiable health information. This includes health records, health histories, lab test results, and medical bills with patient identifiers such as names, addresses, and other information that could be used to identify individuals such as email addresses. It generally includes any health information which can be associated with an individual.

Next, identify where and how you store that PHI. You are responsible for two key areas of information security:

• All of the systems, databases, and applications where data is temporarily or permanently stored must be secure.
• The ways in which employees access that data must be secure. 

This includes applications and databases that are built in-house as well as Saas tools your employees use and hardware systems like phones and laptops. And don’t forget the non-digital mediums—printed or hand-written PHI is no exception. 

❏ Review Third-Party Systems

Any third-party systems or software that touch PHI must also be managed responsibly. Third-party vendors who touch PHI should all sign Business Associate Agreements (BAAs) to ensure that they are held to HIPAA standards. If a third-party is unwilling to sign a BAA, you should not provide them access to PHI. This might mean changing how your application interfaces with third-party systems such as those that support app features including email, push notifications, or video streaming delivery.

Use the “minimum necessary” principle when giving access to systems with PHI—this is a good rule for protecting confidential information more broadly. It means that individuals (or third-party companies) should be given the minimum amount of data access necessary for them to complete their job. This access should also be managed carefully when offboarding third-party services or employees. There should be a structured and documented process for giving and withdrawing access to each part of the system. 

One common area of confusion that we hear about is application hosting. While the major cloud providers offer HIPAA compliant services, it’s important to understand which responsibilities still belong to your company if you choose one of these providers. There are also many compliant third-party hosting companies which help you fulfill your responsibility in securing cloud based PHI. 

❏ Set Employee and Contractor Guidelines

Pre-employment: It’s important that you have a clear written agreement with employees before they start working with PHI. The agreement should explicitly state that confidential information you share with them will remain confidential. This is true of both full-time employees and contractors.

Training: All employees and contractors should be trained in order to ensure compliance. This training should include basics of HIPAA as well as the role each employee should play in maintaining compliance.

During employment: Each member of the organization should work from a secure, protected piece of hardware (e.g. laptop, tablet, phone). It’s easiest to secure workstations before giving equipment to the employee to ensure that all appropriate measures are taken. 

Post-employment: When an employee or contractor leaves the organization (quits or is fired), make sure that you have a structured off-boarding process. This includes things like removing access to accounts across digital applications and collecting any hardware or keys.

❏ Secure your Physical Spaces

Physical access is one of the easiest ways in which an attacker can breach confidential information. Consider the following protocols: 

• Keep maintenance records
• Lock facilities and keep accurate records about who has access, when that access is revoked, etc.
• Come up with contingency plans for how the organization can function if physical facilities are unavailable (e.g. natural disaster or pandemic)
• Take additional steps to prevent physical access to IT resources with access to PHI (e.g. workstations, servers, and external hard drives)
• Have a clear standard operating procedure for giving and collecting keys to physical locations

❏ Manage your Internal Application 

Managing an internal application is also key to compliance for those organizations whose services are delivered through a mobile or web app. Consider the following app best practices: 

• Session Timeouts: If a user leaves a web or mobile app open for a certain period of time without taking any action, the system should automatically “time out” and prompt the user to log back in. This protects against situations where someone leaves their device unattended and someone else starts using it. 
• Encrypted Data: PHI should be encrypted when (1) stored inside a database, (2) stored on a user’s device for a mobile app, and (3) sent over the network.
• Secure Development Practices: As described above, the same “minimum necessary” principle should be used with technical systems such as servers, code, etc. so employees and contractors have only the minimum amount of access needed to do their work. It’s also important that risks are re-evaluated each time the app feature set changes.

❏ Perform a Risk Assessment and Gap Analysis

A risk assessment is a formal way of cataloging all risks faced by an organization. Gap analysis helps you overlay corresponding organizational processes over HIPAA requirements to identify any gaps or areas of concern. Together these analyses help demonstrate that all risks have been mitigated by appropriate security measures. 

If you have ideas about how to make this guide more useful or accurate, please email zach@htdhealth.com with your feedback.