HIPAA Basics: A Guide for Startups
The Health Insurance Portability and Accountability Act, passed in 1996, was originally created to protect sensitive healthcare data from breaches, exposure, and misuse on the part of companies entrusted with that data. If your business manages or handles any protected health information—even if you aren’t an insurance provider—the laws of this act apply to you.
HIPAA compliance may not be a new concept for large, established firms that have been managing health data for years. But far too often, fledgling startups place HIPAA at a low position on their list of priorities, and as a result, they find themselves scrambling to stay ahead of the scrutiny of potential clients.
What is HIPAA and Why Does it Matter?
HIPAA can be broken down into three central components: 1) the Privacy Rule, which protects individual health information, 2) The Security Rule, which sets national standards for data security, and 3) the Breach Notification Rule, which requires companies to report any breach of protected information. Protected information can include health records, social security numbers, contact information, clinical notes and insurance details.
How to Determine if HIPAA Rules Apply to Your Company
The law identifies two lists of entities that need to stay compliant: Covered entities and business associates. Covered entities include doctors, hospitals, insurers, self-insured employers and companies that process and handle claims. “Business associates” include all those who handle data on behalf of these covered entities. Most startups that are caught off guard by HIPAA compliance issues fall into the “business associates” category; if you haven’t investigated these issues or assume HIPAA rules don’t apply to you, take a closer look.
Early stage development and early financing rounds represent the best time to secure all issues and to-dos related to regulatory compliance, and companies that handle and manage sensitive data would be wise not to put off this task. Securing data from the ground up will help businesses build with compliance in mind, and will help them avoid the struggle of paying hefty fines after being reported to the government.
Bear in mind that HIPAA accountability transfers between connected companies, so a violation or breach at a startup “business associate” will also represent a breach for the company’s customers. Large clients (like hospitals and insurers) may hesitate to associate themselves with startups that haven’t rigorously addressed all compliance issues well in advance of any partnership. So establishing compliance won’t just keep a company out of trouble; it can also open the door to larger contracts.