HIPAA Basics: Checklist for Healthcare Startups

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most essential, and strictest, regulatory frameworks for data security in the United States. It was enacted to keep patients’ protected health information (PHI) safe from prying eyes in all circumstances, which means the tenets of HIPAA apply to data both while it’s in transit and at rest. 

Healthcare startups sometimes have a hard time determining how to ensure regulatory compliance. It’s important to understand HIPAA compliance, though, because just one data breach can result in large fines and massive reputational losses that could leave an established company struggling, let alone a startup. Read on to find a checklist of what it takes to cover the basics of HIPAA.

Know When HIPAA Applies

It’s obvious that HIPAA applies to all healthcare settings, from hospitals and clinics to small-town doctor’s offices. What’s less obvious is when it applies to companies working adjacent to the healthcare industry, providing services and acting as business associates. As a general rule, it’s safe to assume that if a startup will be handling PHI, it will be subject to HIPAA and should take adequate steps to ensure compliance as early on as possible. Examples of companies that are considered covered entities under HIPAA include:

•  Health insurance providers, including employers and schools as well as insurance companies.

IT service providers that work with healthcare companies, including software vendors, managed IT providers, and any others that come into contact with PHI.

Third-party associates such as HR companies, accountants, medical equipment suppliers, subcontractors, private auditors, and others.

Ensure Technical Compliance

Technical compliance with HIPAA standards is arguably the easiest place to start since it’s a black-and-white field. To ensure that all of their software and IT services are in compliance, healthcare startups will need to:

•  Make sure user verification is required at critical stages.

Use software that restricts access to PHI by including only the details required for an authorized viewer to perform their job.

Keeping backups of data.

Ensuring secure transmission of data to prevent unauthorized access.

Guarantee Physical Compliance

While most of the attention today goes to making sure patients’ sensitive data is protected from hackers and other malicious actors outside of the facilities, it’s just as important to ensure physical compliance with HIPAA. That requires:

•  Limiting physical access to the company’s systems.

Restricting the use of personal devices.

Creating systems for managing PHI stored across devices.

Securing workstations.

Restricting the use of workstations.

Focusing on Administrative Compliance

Administrative compliance involves the creation of policies and protocols surrounding any PHI used by an organization. Administrative compliance involves things like ensuring the company adheres to HIPAA privacy and security rules and drafts privacy policies that explicitly outline relevant guidelines. Ensuring administrative compliance also requires:

•  Assigning a HIPAA security officer.

Creating a remediation plan.

Conducting staff training sessions.

Developing contingency plans for security breaches.

Identifying third-party points of access to PHI and restricting it as needed.

Don’t Underestimate the Importance of Remaining Compliant

Any healthcare company or third-party covered entity can wind up running afoul of HIPAA, but startups are particularly vulnerable because they have not yet had time to develop best practices. It’s helpful to have someone on the team who has experience with HIPAA guidelines. Either way, be sure everyone understands the importance of remaining compliant because it can make or break a new company.