Most entrepreneurs perceive Health Insurance Portability and Accountability Act (HIPAA) standards to be a hurdle that would be difficult to overcome and may hamper the success of their venture. This however, is really not the case. HIPAA is fairly easy to deal with IF the venture operates with the goal of being successful. HIPAA will not be a hurdle and is not designed to kill your startup as long as you know the minimum criteria you need to achieve.
As a general rule, HIPAA regulates health insurers, self-insured employers, claims clearinghouses and business associates that handle protected health information. HIPAA was designed to make the healthcare system more efficient and to increase the number of people with health insurance coverage. Every healthcare entrepreneur needs to know that there are three main provisions of HIPAA. These include the portability provisions, the tax provisions and the administrative simplification provisions.
Any developer who intends to launch and market a healthcare app needs to understand the provisions of HIPAA and the importance HIPAA places on protected health information. It is true that all healthcare apps do not necessarily have to follow the rules of HIPAA but if an app collects, stores or has the capability of sharing personal health information with doctors and hospitals, then it is absolutely necessary for that app to be HIPAA compliant. Keep in mind that HIPAA was introduced nearly 20 years ago. At that time, there were no mobile apps and so it app developers and marketers need to be extra-vigilant about what applies to them and what doesn’t.
Any healthcare app that will be sending or sharing health data with a healthcare provider, be it a doctor, hospital or any healthcare entity, it is important to adhere to HIPAA Privacy and Security rules. Since there is always a risk that mobile phones, tablets and wearable health devices can be easily lost or stolen, this brings forth the possibility that PHI could be compromised. In addition, the ease of access to the social media and email through these devices again makes the app more vulnerable of breaching HIPAA privacy laws. Finally, there is always the chance that the user intentionally or unintentionally shares personal health information which violates HIPAA rules. Security may also be an area of concern since most of these gadgets do not have physical keyboards and users have a tendency to use simple passwords that could put the data at risk.
HIPAA is very comprehensive so if you want to simplify it and if you want to determine whether your app needs to be HIPAA compliant or not, there is a very simple rule. Any personal information that identifies the individual in question and can be transmitted to a healthcare entity has to be compliant with HIPAA. This includes all personal medical information, medical records, images, appointment dates and so on. Similarly, any app that records and shares patient information in any way has to be HIPAA compliant. However, if an app simply allows the user to record their weight, monitor their calories, provide them medical reference and/or disease information, manage their diets etc., there is no need for such an app to be HIPAA compliant.
It is also important to determine which level of HIPAA compliance an app requires. This depends on the kind of data the app stores and shares. Any app that records data will be closely scrutinized as HIPAA has very strict privacy and security regulations. However, apps that have zero footprint i.e. they access data from a secure server and the app itself does not store any information are less likely to be closely monitored.
The ultimate goal of the act is to regulate health insurance policies as well as provide guidelines to healthcare organizations to effectively maintain the privacy and security of health information. Entrepreneurs must keep in mind that they are expected to implement the privacy safeguards as outlined by HIPAA. This means that they are not allowed to use patient information for any purpose other than treatment or payment related issues.
While privacy and security of patient information is the ultimate area of focus for HIPAA, there are also certain physical safeguards which one needs to be aware of. These physical safeguards are designed to protect the physical facilities of the enterprise as well as any computers and devices that contain protected health information. This would include all data centers, offices, laptops, workstations and cloud-deployed data. Compliance must be ensured with respect to facility access controls, workstation use, workstation security, device and media management etc.
While this should be an event that a business should aim to avoid, it is important to know what to do in case of a reportable HIPAA breach. Know the procedure. Know what you must do in case of such a breach and who you need to notify. You should also know how quickly you should notify in case of a breach. In most cases, it is required that breaches are reported sooner than 60 days once the breach has been discovered.