If you have a startup that provides a product or service to medical practices, you know there are regulations governing how you collect and use your clients’ data. If you handle the health information of your clients’ patients, you are your clients’ business associate.
As a business associate, you are subject to some of the same privacy and security regulations (HIPAA) that your client is subject to. You need to be aware of your responsibilities under HIPAA right away – don’t wait until something goes wrong to get in compliance.
In our experience as a HIPAA management software vendor, many of our clients aren’t medical practices, such as hospitals and clinics, but are business associates that provide a service to a HIPAA-covered organization. We often find that these companies don’t know the extent to which HIPAA applies to their own organization.
If this is you, read on. We’ll answer four common HIPAA questions that many startup business associates wrestle with.
1. Does the HIPAA Security Rule apply to my business?
Yes. The 2013 Omnibus Rule established that companies are business associates who create, maintain, receive, or transmit electronic protected health information (ePHI) on behalf of a HIPAA-covered entity. Since you are your clients’ business associate, you must meet the HIPAA Security Rule requirements.
But do you need to do everything listed in the security rule? That’s a long list of requirements! If you’re a small startup with limited funds and manpower, it can be a huge burden.
You may be relieved to hear that you only need to meet the “applicable” requirements of the rule. That means you get to decide which parts of the rule apply to your organization based on four factors:
- The size, complexity, and capabilities of your company
- Your company’s technical infrastructure, hardware, and software security capabilities
- The cost of security measures
- The probability and criticality of potential risks to ePHI
How do you know the probability and criticality of risks? A security risk analysis. Follow our beginner’s guide to security risk analysis to get started.
In short, if you handle your clients’ ePHI, you’re responsible for securing that data (following the HIPAA Security Rule). But as a small startup, not every part of the rule will apply to you, so you have to carefully evaluate what is feasible and necessary to do.
2. Do I need to use encryption?
Most likely, yes. If your company maintains your clients’ ePHI at rest (meaning that it’s being stored), you are responsible for keeping the data confidential, available, and in-tact. The only way to be sure of that is by encrypting the data.
Additionally, if you transmit ePHI, you need some means to protect the data as it travels from point A to point B (e.g. from your client to you). Again, encryption is the only way to make sure the data is secure.
Encryption doesn’t have to be costly or cumbersome and is manageable for small startups.
3. Does HIPAA apply to my subcontractors?
Sometimes startup business associates need to hire subcontractors to help provide the service to clients. If this is you, consider whether your subcontractor has any contact with ePHI – do they create, maintain, receive, or transmit ePHI on your behalf (similar to how you manage ePHI on your clients’ behalf)?
If so, your subcontractor must meet the applicable HIPAA security requirements. Additionally, you’re responsible for executing a business associate agreement (BAA) with your subcontractor before allowing them access to your clients’ ePHI. This is similar to how your client has to establish a BAA with you before allowing your company to access their ePHI.
LEARN MORE: 7 Quick Facts About HIPAA Business Associate Agreements
4. Does HIPAA apply to the developers of my product?
What happens when the business associate’s product is still being built? If you still have developers working with your product, they are not a part of your workforce, and they do have access to your clients’ ePHI, then they must sign a BAA just like your subcontractors do.
However, startups can avoid this legal situation by asking their developers to work with “dummy” data or a test environment that doesn’t involve real ePHI.
If your startup company handles the data of medical practices, make sure you’re aware of the security regulations that extend to your company. Security should never be an unexpected imposition on your business. Instead, budget for the security measures you need and build compliance into your company from the beginning.
Need Guidance? Check out our Business Associate Decision Tree!
Download our decision tree for determining when a BAA is required.
Contact us with your questions at firstname.lastname@example.org.