What the HIPAA? Demystifying healthcare regulations for startups

However, the healthcare sector is also one of the most highly regulated industries in the US, which presents a number of legal landmines that startups must navigate. And the cost for stepping on one could be high: Unlike laws in some other sectors, many healthcare laws and regulations include criminal penalties in addition to civil fines or liability.

So, how does one “disrupt” in the healthcare space while bootstrapping?

Below, we break down one of the most ubiquitous areas that trip up startups in or adjacent to the healthcare industry — the Health Insurance Portability and Accountability Act, or HIPAA. We spell out what HIPAA is, explain its applicability and offer a few quick tips on how to address this law. We also briefly flag a few other healthcare information privacy and security regulations that should be on your radar as a startup in the healthcare space.

What is HIPAA?

HIPAA, along with its implementing regulations and related guidance, constitutes the foundational federal law covering health information privacy and security. The regulations promulgated by the Department of Health and Human Services govern the use and disclosure of all “protected health information” or “PHI.” PHI includes all individually identifiable information that relates to a person’s past, present or future physical or mental health or conditions; the provision of healthcare to the individual; and the past, present or future payment for the provision of healthcare to the individual. This includes demographic data.

The regulations governing the use and disclosure of PHI are broken into several “rules,” including: the Privacy Rule, which regulates what covered entities can and can’t do with protected health information; the Security Rule, which lays out both general and specific measures that covered entities must take to protect against accidentally sharing protected health information; and the Enforcement Rule, which sets forth how the government enforces the Security and Privacy rules.

Despite popular beliefs, though, HIPAA does not prohibit all sharing of protected health information. To the contrary, HIPAA is largely designed to be a regulation that facilitates information sharing, so long as it is done in a safe and careful manner.

Well, that sounds scary. Do I need to worry about HIPAA?

If you handle PHI, you are probably subject to HIPAA regulations. HIPAA regulations directly cover health plans, healthcare clearinghouses and healthcare providers who conduct certain financial and administrative transactions electronically (“covered entities”). Entities that perform functions or activities for or on behalf of a covered entity are also subject to HIPAA regulations if their involvement requires access to or use of PHI. These other entities are called “business associates.” For example, if you store patient records in a cloud service for a covered entity, you would be covered by HIPAA as a business associate. Business associates offer a broad spectrum of services, from financial and booking services to mobile app data tracking and aggregation, all of which is regulated by HIPAA. Business Associates must have in place a specific kind of contract — a Business Associate Agreement or BAA — with each covered entity. HIPAA regulations and BAAs govern how, and with whom, a covered entity or business associate may use or share health information, as well as the safeguards required to protect this information from unauthorized access.

What to do if you are covered?

If you think your startup might be covered by the HIPAA regulations because it’s a covered entity or a business associate, the first thing you need is to review what you are required to do and implement a set of HIPAA policies to do it. The Department Health and Human Resources website on HIPAA is surprisingly robust, and can help you figure out what is required. As for policies, legal counsel can prepare these for you, but many large companies have their HIPAA policies publicly available, and you can use those to model your own.

If you think you are not a covered entity, but might be a business associate, ask your business partner! They will be able to tell you if you are considered a business associate, and most likely will be able to provide you with a BAA. If they don’t have one, or ask you to prepare one, the Department of Health and Human Services has a sample (linked above).

Though the most notable, HIPAA is not the only law governing health information. Other relevant regulatory frameworks include:

• The Federal Trade Commission’s “Health Breach Notification Rule,” which addresses how vendors of personal health records (and certain related entities) must notify consumers following a data breach involving unsecured information. While hopefully this rule never applies to your startup, you should be aware that it exists and develop policies to mitigate any data breach.
• There are specific rules for substance use disorder records, known as “Part 2,” which provide strict regulations in addition to HIPAA. Part 2 only applies to certain specific types of entities, but the penalties for violations of Part 2 are severe. If you handle records relating to substance abuse disorder, you should consult counsel to evaluate Part 2 compliance.
• Most states have laws relating to specific types of information, such as that relating to HIV or mental health. These laws are often extremely specific and strict. You should consult counsel to evaluate your efforts in both the states in which you operate and the states in which your customers or patients sit.
• Does your healthcare startup plan to create a device? Then you should be familiar with the Federal Food, Drug and Cosmetic Act, under which the US Food and Drug Administration regulates medical devices. Depending on the type of device, you may need to register your device and obtain premarket approval by the FDA prior to bringing the product to market.

While healthcare privacy laws and regulations may appear daunting, you can use online resources and ask legal counsel for support in navigating the healthcare space. Addressing these issues shortly after formation is key in order to avoid any unexpected hiccups in investor or purchaser diligence or unwelcome visits from federal or state regulators.

_

Kim’s Korner is a series of articles by Ballard Spahr’s emerging company and venture capital attorneys. The column is not legal advice. The substance of the column is derived from our experience working with founders and details many of the current critical issues facing startups.

Learn more about Ballard Spahr

This is a sponsored guest post by Ballard Spahr. Ballard Spahr is a Technical.ly Ecosystem Builder client.