If you are a technology company developing products for the health market, you have probably heard about and maybe even been “warned” about HIPAA (the Health Insurance Portability and Accountability Act). If you are asking, “How can I avoid complying with HIPAA?” you might be asking the wrong question. Health care is almost 20 percent of the U.S. economy and craving the kind of innovation that technology companies can bring. Leaders in the health care space, like those at AcademyHealth, are pushing for changes to the health system to achieve better care, smarter spending, and healthier people. And they can’t do it without your help.
Compliance with HIPAA opens up new business opportunities, and, in an age of data breaches and privacy concerns, it can set you apart as a company that cares about protecting the information you have about your customers and the patients/clients of those you work with.
Recently, AcademyHealth facilitated a Health Data Innovator Privacy and Security Workshop supported by the California Health Care Foundation. As a featured speaker at the workshop, I’ve pulled out some of the key insights around when and how HIPAA might apply to those working in digital health.
Does HIPAA Apply to My Work?
Maybe. HIPAA does not apply to all health data. It depends on who collects or maintains the data and the relationships with HIPAA-covered entities or business associates.
Generally, HIPAA applies to health data collected or maintained by those in the traditional health care space, including health plans and most health care providers (such as doctors, hospitals, pharmacies, and labs) as well as those doing business on behalf of these entities (such as a billing company or a cloud storage provider (CSP)). However, if the same data is held by the consumer or by a product or company that has a relationship only with the consumer, then it is not covered by HIPAA, although other federal laws may apply. Typically, technology companies will be business associates working with clients that are covered health care providers or health plans.
The same product may require HIPAA compliance in some circumstances and not in others. For example, a company that is collecting health data through a remote patient monitoring device will have to comply with HIPAA if it is providing the service for a doctor or hospital, but not if it is collecting it for the patient for her own use. For example, if a patient collects her blood pressure information and notices an aberration that she wants to share with her doctor, the fact that the technology enables this communication to occur does not, in and of itself, trigger HIPAA compliance. The analysis can get complicated when technology companies sit in between the health care provider or health plan and the consumer. There is guidance on mobile apps that provides some clarity; however, the lines are not clear and it is wise to have an expert help you determine if and how HIPAA is triggered.
Even technology companies not solely operating in the health care space may be required to comply with HIPAA. There has been recent HIPAA cloud computing guidance explaining that when an entity that is required to comply with HIPAA engages the services of a cloud storage provider (CSP) to create, receive, maintain, or transmit identifiable health information on its behalf, the CSP is a business associate under HIPAA with compliance obligations. This is true even if the CSP processes or stores only encrypted health information and lacks an encryption key for the data.
My Work is Covered by HIPAA. What Do I Need to Know?
The HIPAA rules are complex. But there are two primary things to consider as a business associate under HIPAA:
- What you are allowed to do with identifiable health or demographic data? AND
- What do you need to do to secure that data?
First, it is important to think about the data flows and the purposes behind the uses or disclosures of identifiable data. HIPAA generally allows uses and disclosures of protected health information (PHI) for treatment, payment, and health care operations. These terms are defined in detail so it is important to look at what is covered within each of these categories. HIPAA also allows disclosure of information to the consumer.
HIPAA limits uses and disclosures of PHI for marketing purposes and prohibits the sale of such information, so make sure your business model isn’t dependent on this. Even if a use or disclosure is generally permitted by the HIPAA rules, it may be limited. HIPAA requires that uses and disclosures of PHI may only be the minimum necessary for a particular purpose. Furthermore, a client that is a covered entity may further limit your ability to use or disclose PHI through the business associate agreement. It is therefore very important to consider what you want to do with PHI before signing a business associate agreement that may limit your use of the data.
Second, business associates must comply with requirements to secure PHI that they hold. It is critical to conduct a security risk assessment and reasonably mitigate risks that are identified. The HIPAA Security Rule is designed to be flexible and scalable. A lawyer can help by working with a security company that conducts risk analyses to be sure that the recommendations are consistent with these scalable legal requirements.
My Work Doesn’t Trigger HIPAA. Am I Home Free?
In short, no. There are other legal requirements at play even if you don’t have to comply with HIPAA. There are state laws regarding disclosure of data and breach notification as well as the Federal Trade Commission (FTC) Act, which protects consumers from unfair or deceptive trade practices. The FTC has published a lot of guidance. Some of the key principles are:
- Implement privacy and security by design.
- Assess risks, address them, and re-evaluate as you adopt new technologies or uses of data.
- Develop privacy and data use policies for consumers and make sure you act accordingly.
The Bottom Line
HIPAA and other federal laws may add obligations to your business, but they can also serve as a guidepost to ensure you are taking steps to protect health data of your consumers and your enterprise data. If you think you might be collecting or maintaining data that is protected by HIPAA, consult with an expert who can help you determine what you can and cannot do with data and help you assess your security risks and safeguards. It is important to do this as you are developing your product and business strategy so you design privacy and security into your product or service. It may be key to your business success!
*Support for AcademyHealth’s Health Data Innovator Privacy & Security Initiative is provided by the California Health Care Foundation