Any startup who works with a United States healthcare organisation of any kind must demonstrate HIPAA compliance. HIPAA, the Health Insurance Portability and Accountability Act set out in US law in 1996 requires anyone who touches the protected health information of users to appropriately protect the privacy and security of this data. Done properly, demonstrating HIPAA compliance for startups will have benefits for the entire organisation.

Under HIPAA, protected health information (PHI) is any health information that can be tied to an individual. Under the HIPAA regulations, protected health information is a combination of health information such as a diagnosis, treatment information, test results, or prescriptions, combined with information that identifies the patient such as their name, location, contact details, payment details, and more. Furthermore, if identifiers are removed, the data is no longer restricted under HIPAA.

HIPAA Compliance Requirements

HIPAA is designed to protect user health information held in electronic systems. HIPAA’s compliance requirements are set out in a series of rules:

The HIPAA Privacy Rule sets out requirements for appropriate safeguards to protect patient privacy, and limits the uses of this information without explicit consent from the user. The privacy rule also gives patients rights in requesting their data.

The HIPAA Security Rule sets out requirements for administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of PHI. These security safeguards include risk analysis and management, employee training and discipline, security policies including incident response policies, physical security protections, encryption, access, control, and authentication, and more.

The HIPAA Breach Notification Rule defines breaches and sets out requirements for organisations in the event of a breach.

The HIPAA Enforcement Rule sets out how HIPAA will be enforced, including monetary penalties for violations of the rules.

Why is HIPAA compliance for startups important?

HIPAA applies to anyone who routinely handles (stores, transfers, processes) protected health information (PHI) belonging to US citizens. This includes ‘business associates’ of healthcare settings, including software development companies who develop products or provide services to the healthcare providers defined as ‘covered entities’.

As business associates, HIPAA compliance for startups require them to demonstrate that they are HIPAA compliant to their customers. Failure to demonstrate this compliance opens the company up to the risk of a fine from HIPAA.

How to achieve HIPAA compliance certified status

HIPAA certification is not required by law under HIPAA, but it does have practical benefits for organisations including the requirements to consider security risk, and implement policies, procedures, and controls to protect PHI.

HIPAA compliance for startups can be achieved in two ways: a point in time HIPAA compliance audit and accreditation by a third party auditor (with no legal standing); or recognition that the organsation’s workforce have achieved a level of HIPAA knowledge and compliance with their security policies and procedures.

Startups who are defined as business associates under HIPAA may choose to undertake a third party HIPAA compliance audit to ensure that their products, services, policies, and procedures meet HIPAA’s standards.

It is important to note that HIPAA compliance verification does not remove the obligation to be HIPAA compliant going forward, and does not guarantee that an organisation will not be found to have a security violation going forward.

The seven elements of effective compliance

While the route to compliance is not prescribed, the HHS Office of Inspector General set out the seven elements of effective compliance to provide the skeleton for a HIPAA compliance program. These seven elements will be used by HIPAA compliance companies to assess HIPAA compliance for startups.

Implementing written policies, procedures and standards of conduct

Auditors will be looking for evidence that the administrative, technical, and physical safeguards specified in the HIPAA Security Rule have been addressed. As these safeguard areas are general, many organisations find that a framework such as ISO 27001 provides helpful guidance on controls.

Administrative safeguards: Risk analysis and management; Sanctions for employees who don’t comply with policies; Regular review of system activity; PHI access rights; Awareness and training (password controls, log-in monitoring, training reminders); Incident protocols; and Contingency planning

Physical safeguards: Office/ facility access; Office/ facility security; Device/ computer security and access; and Physical PHI storage (device disposal, data backup, etc.)

Technical safeguards: Unique user identification; Automatic log-off; Encryption and decryption; Auditing app and backend activity; MFA and other authentication; and Integrity controls

In addition, organisations must be able to show that they have a full set of relevant security policies in place, and they may be asked to produce evidence of security risk analysis activity, asset and device audits, and even a HITECH Subtitle D audit. They will also be required to show that they have remediation processes in place to address any gaps discovered during the audit.

Designating a compliance officer and compliance committee

Organisations must designate a compliance officer who takes overall responsibility for achieving HIPAA compliance. This officer must also be backed up by a group of other key figures across the organisation who oversee the work of the compliance officer but are also in a position to lead the necessary security culture across the organisation.

Conducting effective training and education

HIPAA contains a strong emphasis on employee responsibilities towards protecting PHI. Organisations who are aiming for HIPAA compliance will need to demonstrate that employees are will trained in their security responsibilities, that they understand the security policies and procedures in place, and that they follow these rules.

Developing effective lines of communication

Organisations are required to maintain effective lines of communication with suppliers and customers to ensure that the entire supply chain has effective security controls in place to ensure HIPAA compliance. This includes HIPAA Business Associate Agreements between the startup and their relevant covered entity, or between different organisations along the supply chain.

Conducting internal monitoring and auditing

The organisation must be able to demonstrate that they monitor the success of their security programme and that they conduct audits of systems and processes to ensure that they meet the organisation’s needs. HIPAA guidance doesn’t specify how organisations can demonstrate this, but one way to demonstrate the effectiveness of the programme and to verify that all systems are in compliance is through a thorough security assessment.

Furthermore, the organisation is required to carry out a documentation audit to ensure the documentation required by HIPAA is maintained and accurate.

Enforcing standards through well-publicized disciplinary guidelines

As mentioned in element 3 above, HIPAA places great emphasis on employee responsibilities towards protecting health information. Here, organisations are expected to demonstrate that security responsibilities are reflected in employee contracts and associated disciplinary policies and guidelines, which must make it clear to all employees that failure to follow security policies will be disciplined.

Responding promptly to detected offenses and undertaking corrective action

The organisation must have an incident response plan which contains procedures for responding effectively to a data breach or other reportable HIPAA violation.

Beginning the HIPAA compliance for startups journey

HIPPA compliance for startups may feel like a long journey to take, but it is a necessary one if they work with any US-based organisation involved in any part of the healthcare system.

The important thing is to take it step by step and engage outside help if required. In addition, answering the questions that HIPAA asks can help the organisation become more secure overall, ultimately improving their standing with customers across all sectors.

Stay safe

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-176747747-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

What is HIPAA Compliance for Startups?

HIPAA Compliance Requirements

Why is HIPAA compliance for startups important?

How to achieve HIPAA compliance certified status

The seven elements of effective compliance

Beginning the HIPAA compliance for startups journey

Recent Posts

How to build a cybersecurity strategy for startups

ISO 27001 vs SOC 2 – Which is better for your organisation?

Encryption of data in use: A new standard in data protection

What is HIPAA Compliance for Startups?

Benefits of ISO 27001: Why you need a cybersecurity framework

Are you the weakest link? How to prevent software supply chain attacks

Services

Location & Contact Details

Stay Connected