HIPAA Compliance Is More than Using Compliant Vendors



For healthcare app developers operating in the US, compliance with HIPAA is mandatory. But HIPAA compliance is crucial for other reasons as well. Hospitals need to know that every new app they use is fully compliant, to maintain the hospital’s own compliance status, and to protect patient data across the care continuum. For health app investors, full compliance with HIPAA is a specific criterion to be achieved, but it’s also more than that. Investors need to know that data privacy and security are built into an app from the start of the development cycle, and aren’t just an afterthought. In short, good data governance reflects positively on an app and its developer, and can get your app funded and launched faster.

Using Compliant Vendors Does NOT Make Your App HIPAA Compliant

Simply buying some servers, firewalls, storage devices and network cabling does not magically create a working network. To create a functioning network, components have to be assembled, connected, configured and tested. Of course, each component of a network is expected to be compliant with various standards, such as those from IEEE and Underwriters Laboratories. But not until all components are intelligently orchestrated is a working network created.

In this context, full HIPAA compliance resembles a functional network. Each of the separate components required for compliance (such as a vendor) must be compliant with HIPAA on its own. But not until the developer has assembled and intelligently configured those components does an actual state of HIPAA compliance exist. Simply using HIPAA-compliant vendors like AWS does not automatically make an app or a developer HIPAA compliant. There are processes, procedures, and documents outside of what most vendors do that must be developed, configured and tested to reach HIPAA compliance. Hospitals and investors understand this. As a developer, you should too.

Compliance for the App — Compliance for the Developer

A serious misconception in the developer community is thinking that compliance applies only to the app and not to the developer. Nothing could be further from the truth. In fact, HIPAA Regulations recognize that it is the business and people behind a given entity, whether an app or a hospital, that must achieve full compliance. An app, like a hospital campus, is merely the visible portion of the entity; but the entire entity must become HIPAA compliant or there is no compliance at all. A hospital cannot claim full HIPAA compliance if only its buildings are compliant, but not their entire operation. Similarly, app developers are not HIPAA compliant if only their deliverables are compliant, and not their entire business operation.

HIPAA law assumes a certain gravity and intrinsic value to personal health data which demands it be protected by those entrusted with it. HIPAA’s protections are physical, technical and administrative in nature, and they apply to an entire business, top to bottom, not just to its products.

A healthcare app can be made HIPAA-ready on a purely technical level by using data encryption, secure storage, unique user IDs and strong authentication, among other things. But if the developer — the company — behind the app is not fully HIPAA compliant as a business entity, there is no state of HIPAA compliance. In such cases, hospitals or investors will likely look elsewhere until full compliance is achieved for the app and the business behind it. By then it may be too late and windows of opportunity may have closed.

Using HIPAA Compliant Vendors Helps, But Full HIPAA Compliance Requires More

Like our network example earlier, developers should use HIPAA compliant vendors for infrastructure and services whenever possible, but those vendors, while compliant themselves, are only a portion of what full HIPAA compliance requires. And the very same compliance duties apply to app developers as to hospitals, though they’re likely to be scaled and implemented differently.

Every vendor and developer touching personal health data has to comply with all of HIPAA’s requirements. But most vendor’s internal compliance efforts don’t flow ‘downstream’ and directly benefit their customers’ compliance work. Fortunately, things have begun to change.

There are a few HIPAA compliant vendors who are assisting with various aspects of developers’ HIPAA compliance duties. From curated HIPAA policies and expert advice, to compliant systems and processes, a handful of vendors are finally offering meaningful compliance help to developers, fully integrated with their service platforms. Simplifying and speeding the compliance process provides a strong competitive advantage for developers.

With vendors who don’t offer integrated compliance services, developers must get compliance help elsewhere, or risk being out of compliance and out of luck.

Any Vendor Not Facilitating Your HIPAA Compliance Is Holding You Back

Success today is largely measured by time-to-market. And since compliance is mandatory for apps with personal health data, developers must find the shortest path to full compliance to help minimize their time-to-market. While HIPAA may be challenging, full compliance greatly increases the odds of funding and finding acceptance in the clinical marketplace. A small number of platform vendors know HIPAA well and assist developers with compliance in varying degrees. If your vendors aren’t actively helping facilitate your HIPAA compliance — for your app and your business — they’re not saving you time and effort. They’re holding you back.

Was this article helpful? Subscribe below to learn more about MedStack and get tips delivered straight to your inbox.