Healthcare Developers Must Comply with HIPAA
HIPAA – the word constantly floats around in conversations in the healthcare industry so what’s the exact deal with it? All healthcare products are expected to comply with HIPAA, the primary health data privacy law in the US. Even developers whose products already use encrypted, anonymized, or obfuscated health data are expected to meet all the requirements of full compliance with HIPAA, which has now become the baseline US health compliance standard. Most healthcare investors and institutions won’t even consider software or devices unless they are fully HIPAA compliant.
HIPAA compliance includes a number of specific requirements, including:
- Risk Analysis – an “accurate and thorough assessment” of potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI. (§164.308(a)(1)(ii)(A))
- Privacy & Security Policies, Procedures, and Forms – privacy & security policies, procedures and forms consistent with the Privacy and Security Rules. (§164.316) and (§164.530(i))
- Privacy Personnel – a privacy official responsible for privacy policies and procedures, and a person or office responsible for resolving complaints. (§164.530(a))
- Workforce Training and Management – on “privacy policies and procedures”, as necessary and appropriate, for them to carry out their functions. (§164.530(b))
- Mitigation – mitigate harmful effects caused by data breaches. (§164.530(f))
- Data Safeguards – administrative, technical and physical safeguards to protect health data and prevent data breaches. (§164.530(c))
- Breach Notification – When breaches happen, entities must notify each individual who’s PHI has been affected. Larger breaches must also be reported directly to HHS. (HITECH §13402)
- Complaints – procedures for complaints about privacy violations and issues. (§164.530(d))
- No Retaliation – no retaliation against anyone for exercising their HIPAA rights, for assisting in an official HIPAA investigation, or for opposing something they believe in good faith violates HIPAA Rules. (§164.530(g))
- Documentation and Record Retention – maintain HIPAA-required documentation for minimum six years after the later of the date of their creation or last effective date. (§164.530(j))
HIPAA Compliance Requirements Must Be Codified in Policies
Some HIPAA compliance requirements are administrative in nature, involving mostly people and business processes. Others are technical, like the Security Rule’s various Standards, which cover computers, networks and electronic health data. Each requirement should be codified in a specific policy. Policies are the core of HIPAA compliance because they codify how HIPAA affects a specific entity, and how that entity specifically complies. Policies serve other vital purposes too.
Policies Govern Daily Life at Regulated Companies
Policies themselves are one of HIPAA’s requirements, at (§164.316) and (§164.530(i)). But the primacy of policies under HIPAA is so significant, that HIPAA’s training requirement doesn’t mandate lessons on HIPAA regulations or “HIPAA 101”. Instead, companies must train workers on “policies and procedures” related to PHI, “as necessary and appropriate” so employees can do their jobs. Policies and procedures are intended to translate the complexities of HIPAA into plain guidance for employees on a daily basis. Your HIPAA policies also reveal insights about your company to others.
Policies Reveal Good Data Governance – or a Lack of It
Savvy investors and health institutions can read between the lines of your HIPAA policies, procedures and other compliance documentation. Among other things, they look for patterns in your documentation that help them assess the risk of doing business with you and your products. If a company has made good data governance a priority, a pattern will emerge that reveals it. Commitment from leadership, careful research, informed decisions, and creative privacy and security strategies all support good data governance. To informed eyes, your policies will reveal those strengths in all their glory, or expose the absence of them.
Policies Are Primary Evidence of HIPAA Compliance
Along with providing workforce guidance, HIPAA policies and procedures are primary evidence of your product and company’s HIPAA compliance. HIPAA compliance is a self-certification process, where regulated entities provide their own evidence of full compliance. When investors and clients want assurance of your HIPAA compliance, your HIPAA policies and corresponding procedures will form the core of your compliance evidence. They provide guidance for your workforce, but your HIPAA policies also tell the story of your firm’s compliance journey. Make sure they tell the story you want them to.