There are thousands of organizations that do not directly provide care to patients but support those who deliver care. If you are planning to start up a business to provide a product or service to medical practices, you should know there are regulations governing how you are supposed to collect and use your client’s data. And if your job requires you to handle the health information of your client’s patients, then you are a business associate under HIPAA. You probably have more questions about HIPAA compliance, and we have the answers.
As a Business Associate (BA), you must adhere to the same HIPAA privacy and security regulations that your client is subjected to. You should be aware of your responsibilities under HIPAA as soon as possible before something goes wrong and you are forced to get in compliance along with hefty fines and penalties.
So let’s take a look at a few common questions that most startups have in mind regarding HIPAA compliance, and I am going to answer them all.
Do I need to comply with the HIPAA Security Rule?
Yes! In 2013 the Final Omnibus Rule was established, and it reinforced the responsibilities of business associates under HIPAA. Companies that maintain, receive, transmit, or create protected health information (PHI) on behalf of a covered entity are business associates and should therefore comply with the Security Rule that their clients (covered entities) are subject to.
That said, it is not necessary to implement all the elements of the security rule. That is a long list of requirements, and it can be a massive burden for a startup with limited resources.
You will be relieved to hear that you only need to address the “applicable” requirements. There are four factors that you can assess to determine which requirements apply to your business. Which are:
- The size, complexity, and capabilities of your company
- Your company’s technical infrastructure, hardware, and software security capabilities
- The cost of security measures
- The probability and criticality of potential risks to ePHI
How can you find out the probability and criticality of potential threats? Through a Security Risk Analysis. You can use our HIPAA compliance software, HIPAA Ready to get started.
Do I have to use encryption?
While encryption is not a mandatory requirement under HIPAA, you will still most likely need to use encryption because it is a good practice. If you maintain your client’s protected health information in electronic format (ePHI), you are responsible to ensure the privacy and security of the data. And the best way to protect this data is by encrypting the data.
Also, when you transmit ePHI, you need to ensure that there are means of protecting data in transit as it travels from point X to point Y (e.g., from your client to you or vice versa). And again, encryption is the best way to ensure that the data is secure.
Encryptions can be manageable for startups as it does necessarily have to be expensive or cumbersome.
Will my subcontractors have to comply with HIPAA too?
Yes, a subcontractor can be your business associate, but it depends on what they do. Sometimes as a startup, you may need to hire subcontractors to help you provide the services to your clients. In this case, you should consider if your subcontractor has any contact with ePHI. For instance, do they create, transmit, receive, or maintain PHI on your behalf as you do on your client’s behalf.
If this is the case, you are required to enter into a business associate agreement with your subcontractor before allowing them access to your client’s PHI. And the subcontractor must also meet the applicable security requirements.
Will the developers of my product have to comply with HIPAA?
What happens if your product is still being developed? If you have developers that are not part of your workforce but working with your product, and they do have access to your client’s PHI, then you must enter into a business associate agreement with them like your subcontractors do.
However, you can avoid this by asking your developers to work with “dummy” data or a test environment that does not involve real PHI.
The Best HIPAA Compliance Software for Startups
As a startup, you cannot afford to neglect HIPAA regulations. Security should never be your second priority if you handle patients’ health information in any way. You should start budgeting your security measures and build compliance into your business from the beginning. In any case, you probably have more questions about HIPAA, and like I’ve said, we’ve got answers.
Even if you know little to nothing about HIPAA, you can still comply by making use of HIPAA Ready. HIPAA Ready is a robust cloud-based HIPAA compliance software that will help you address all the critical elements of compliance. This is the best tool, especially for startups, because it is very affordable and 100% customizable. HIPAA Ready will only cost you $10 per user, per month!
If you have more questions about HIPAA compliance, get in touch with us today for answers. Leave a comment below if you are interested in trying a demo!