Intro

Data privacy and security in healthcare is key. Your healthcare data is worth up to 40 times as much as credit card data on the black market. Why? Well, the nature of healthcare data is far more personalized and detailed than financial data, and can be used to affect insurance premiums in an unfair manner, commit fraud or to blackmail and extort.

Because of this, the healthcare industry is protected by some of the most stringent data security regulations around. In the US, the primary regulation is HIPAA – and it’s crucial to be aware of the requirements before embarking on a healthcare enterprise.

HIPAA (Health Insurance Portability and Accountability Act)

First things first: HIPAA is a federal regulation, not a certification. There is no official body providing HIPAA certifications, rather, it is a set of standards and codes that must be adhered to in order to follow the law, and governs the course of action the federal and state governments can take in auditing healthcare providers (hospitals, clinics, etc) for their adherence to personal health data management standards

HIPAA relates to any business that is handling Personalized Health Information (PHI). Those businesses are either covered entities, that deal with patients directly or business associates, who are granted access to patient data by a covered entity. Business entities need to have strict enough security in order to be trusted with data from covered entities

PHI is any data that:

  1. Provides insight into a person’s health (e.g. blood pressure, heart rate, scheduled doctor’s appointments, medical history)
  2. Is identifiable to an individual (e.g. tied to a name/email/etc)
  3. As a general rule of thumb, if the data could be used by an insurance company to discriminate against an individual, then it is PHI

Why is HIPAA Important?

So, you may be thinking, why bother with all this work? Well, there are a few factors that make taking security seriously unavoidable in healthcare:

  1. Data Breaches: The average cost of a healthcare breach in 2021 was $9.42 million. For any company that is a huge hit, and for most startups that could be business ending – not to mention the potentially irreparable damage a breach does to a company’s reputation
  2. HIPAA Fines: If found to be mismanaging patient health data, the Office of Civil Rights or the Attorney General’s Office both have the authority to enact fines
  3. Selling into the industry: This is the single biggest reason to be compliant for most digital healthcare companies. If your business model involves selling to or partnering with, hospitals, payors, pharmacies, or any large healthcare network of any kind, they will require you pass a Security Audit before entertaining working with you. No large healthcare organization can afford to invite risk to their patients’ data by sharing it with an unsecured partner. For this reason, they typically require Security Audits that meet or exceed the expectations of HIPAA.

HIPAA Security Rule (for Digital Health)

In this section, we will speak specifically about digital health solution vendors, although the same general best practices are relevant to all healthcare businesses.

What do I mean by Digital Health? Digital health technologies use computing platforms, connectivity, software, and sensors for health care and related uses. These technologies span a wide range of uses, from applications in general wellness to applications as medical device, and can address a wide range of healthcare issues.

1. Physical Safeguards

For any cloud-based healthcare application, most of these will be covered as standard by the cloud provider (e.g. AWS/Azure). When these providers claim ‘HIPAA compliance’, this is what they are referring to.