HIPAA Requirements for Healthcare Startups

HIPAA wasn’t written for tech startups. It’s difficult to translate vague, risk-focused HIPAA requirements into actionable controls and policies. What’s more, it takes significant time, money, and effort to become HIPAA-compliant.

Yet many startups need HIPAA compliance to grow and thrive. Not only do startups need to meet HIPAA requirements to handle certain types of data, but they can’t even dream of working with customers in the health industry without compliance; federal law (and the customers themselves) simply won’t allow it.

To help startups looking to navigate the complexity of HIPAA compliance, we mapped out the most important things founders need to know. This resource runs through why HIPAA is important for startups, how much it costs, what’s involved, and what’s recommended for startup teams pursuing compliance.

Here, you’ll learn everything your startup needs to get started with HIPAA:

Table of Contents

• What Is HIPAA Compliance, and Does My Startup Need It?
• What HIPAA Requirements Does My Startup Need to Be Compliant?
• Time and Cost of HIPAA Compliance
• Recommendations for Startups Seeking HIPAA Compliance
• HIPAA Compliance Is About Helping People, Not Checking Off Requirements

What Is HIPAA Compliance, and Does My Startup Need It?

Before we dive into HIPAA requirements, let’s walk through what HIPAA is and why startup founders should care about it.

What Is HIPAA?

Doctors’ offices, health insurers, and the startups that serve them need to meet federal regulatory compliance rules defined by the Health Insurance Portability and Accountability Act (HIPAA). Among many other things, HIPAA sets national security and privacy standards for certain types of health information and is enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services.

However, HIPAA was passed in 1996, in a time before smartphones and tech startups. It wasn’t written with today’s health-data needs in mind. Since then, lawmakers have updated it several times to better align it with current issues facing the privacy and security of health information.

Does My Startup Need to Be HIPAA-Compliant?

It depends on the type of data you handle and what your customers require.

Do You Handle Protected Health Information (PHI)?

Protected health information (PHI) is any individual’s health information. If your startup handles patient records (past or present), payment information, or test results, chances are, you’re working with PHI.

On its own, health information (like a blood pressure reading) isn’t PHI. Neither is personal information like a name, phone number, or Social Security number. PHI is a combination of health information and any identifier that could link that information to a specific person.

1. Health information includes everything about a person’s past, current, and future health (diagnoses, health care coverage, payment for medical services). For example, patient or family medical history records, bills from a primary care physician, or lab results are all considered health information in the eyes of HIPAA.
2. Identifiers, on the other hand, include any demographic information that could be used to identify an individual. HIPAA protects 18 identifiers, including names, phone numbers, email addresses, Social Security numbers, account numbers, license plate numbers, photos, fingerprints, etc. Identifiers need to be protected only when combined with health information.

Still confused? Here’s an example: A patient’s hospital bill is PHI because it reveals health information in combination with other information that identifies the patient. If the record shows only the health information and NOT the personal identifiers (name, address, phone, email, payment info, etc.), then it does not need to be protected under HIPAA.

Do Your Customers Need You To Be HIPAA-Compliant?

In many cases, your customers will need your startup to comply with HIPAA in order to even consider working with you.

HIPAA applies to two types of organizations: covered entities and business associates.

1. Covered entities are health care providers, such as clinics, pharmacies, nursing homes, clearinghouses, health insurers, and government health programs, among others.
2. Business associates are organizations or individuals who handle protected health information while working with a covered entity. HR startups like WageWorks and Greenhouse are considered business associates under HIPAA because they handle employee benefits information.

If your startup handles PHI while working with other organizations, that makes you a business associate as far as HIPAA is concerned. That means you’ll need to sign a business associate agreement (BAA) in order to work with those customers.

A BAA is a contract that defines how PHI will be used and protected by the business associate. It ensures that the business associate complies with HIPAA and that the covered entity reports and stops working with that vendor if any breaches or violations arise.

But it gets more complicated than that.

Say your SaaS startup provides a dashboard that helps health care providers manage their PHI. Because you handle PHI for the health care provider, you are a business associate. And because you work directly with a data hosting service, that makes the data host a business associate as well.

In this scenario, think of your startup as the middle link in a chain of HIPAA compliance. You would need a BAA with the health care provider AND the data host. But the data host wouldn’t need a BAA with the health care provider.

What Happens If My Startup Isn’t HIPAA-Compliant?

If there are no data breaches, no data leaks, no issues, then nothing is likely to happen. Usually, an OCR audit doesn’t happen unless an employee, customer, or vendor reports your lack of compliance. But if something does happen, then you’re subject to some pretty significant fines.

The global average total cost of a data breach amounts to $3.92 million, impacting 25,575 records at $150 per record, according to a 2019 IBM/Ponemon Institute report. For health care companies, it’s even worse. The average cost of a data breach for U.S. health care companies is $6.45 million, surpassing the global all-industry average, according to the same study. That’s an average per-record cost of $429.

It’s important to note that actual federal fine amounts depend on the severity of the breach and negligence. The totals also include breach containment and notification costs, business disruption, revenue cost, customer turnover, reputation losses, and other long-term impacts.

As mentioned above, companies in the health industry can’t legally work with startups without a BAA if PHI is involved. Failing to become HIPAA-compliant means your sales team won’t be able to close deals and your startup will struggle to move upmarket.

What HIPAA Requirements Does My Startup Need to Be Compliant?

Now that we understand what HIPAA is and why it’s important for startups, let’s take a look at the HIPAA requirements and frameworks that founders need to know.

How to Make Sense of HIPAA Regulatory Requirements

HIPAA is broken up into three different rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The HIPAA Security Rule

The HIPAA Security Rule establishes administrative, physical, and technical safeguards for electronic PHI. It’s similar to main security frameworks such as NIST SP 800-53 and ISO 27001.

In adhering to the HIPAA Security Rule, you’ll need policies and procedures in place to address the following items, among others:

Administrative

• Risk analysis and management
• Sanctions for employees who don’t comply with policies
• Regular review of system activity
• PHI access rights
• Awareness and training (password controls, log-in monitoring, training reminders)
• Incident protocols
• Contingency planning

Physical

• Office/facility access (including contingency access for emergencies)
• Office/facility security
• Device/computer security and access
• Physical PHI storage (device disposal, data backup, etc.)

Technical

• Unique user identification
• Automatic log-off
• Encryption and decryption
• Auditing app and backend activity
• MFA and other authentication
• Integrity controls

For help translating HIPAA’s Security Rule requirements for your startup, check out these resources:

• Security Risk Assessment Tool: While not meant specifically for tech startups, this government-offered application helps small to medium-sized companies navigate HIPAA Security Rule standards.
• NIST HIPAA Security Rule Toolkit: This application helps organizations conduct a self-assessment and identify gaps in Security Rule adherence. (Note: NIST no longer supports this toolkit.)
• Laika: We provide custom HIPAA-compliance road maps tailored specifically for your startup’s needs. Our team of HIPAA experts will work with you to make compliance quick and pain-free.

The HIPAA Privacy Rule

The HIPAA Privacy Rule sets guidelines for what you can and can’t do with PHI. For example, HIPAA’s Privacy Rule

• defines allowed use cases and disclosure of PHI;
• gives individuals access to their PHI, the ability to know who else has seen it, and some control over how their PHI is used;
• makes sure PHI disclosure is limited to only the information that’s needed;
• stipulates what organizations have to do in order to protect PHI; and
• establishes penalties for PHI mishandling.

The HIPAA Breach Notification Rule

Once part of the Privacy Rule, the Breach Notification Rule, defines a breach and what must be done if one occurs.

This rule goes into detail about who needs to be notified, how, and when. For example, the rule stipulates that covered entities must, within 60 days of a breach, send first-class mail or an email informing patients whose PHI was put at risk in the breach. It also defines when businesses have to notify the media and the U.S. Department of Health and Human Services.

Choose Your HIPAA Adventure: Third-Party Review, HITRUST Certification, or Security Framework

Knowing the three aforementioned rules is just the start. Translating them into actionable objectives for your startup takes a bit more work. Thankfully, you have some options to help you with this task.

The OCR provides some resources for organizations to become HIPAA-compliant on their own (see above). However, most companies bring in a third-party reviewer, pursue HITRUST certification, or follow a security framework to make sure they do it right.

Third-party HIPAA Review

A reviewer provides an unbiased report about your policies, procedures, and controls through the lens of HIPAA.

Unlike other audits (a SOC 2 Type 2 audit, for example), an annual HIPAA review doesn’t require evidence that your company actually executes on those policies, nor does it attest to your controls. It does, however, provide more peace of mind for organizations and customers.

HITRUST CSF Certification

The Health Information Trust Alliance (HITRUST) is an organization that maintains the Common Security Framework, a risk-management framework that pulls from other well-known compliance frameworks (HIPAA, NIST, ISO, PCI).

The HITRUST CSF is more prescriptive than HIPAA while covering the necessary controls.

Security Framework

Many companies pair HIPAA with either the NIST SP 800-53 or the ISO 27001 security framework for additional guidance as they pursue HIPAA’s Security Rule.

1. NIST SP 800-53: This stands for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. It was published to help federal agencies improve their information security.
2. ISO 27001: The ISO 27001 framework is similar to NIST SP 800-53, except it’s internationally recognized. It’s often chosen by startups that work outside of the United States. We talk about it more in detail in A Founder’s Guide to Deciphering the Right Compliance Framework for Your Startup.

Time and Cost of HIPAA Compliance

How much time and money should you expect to spend on meeting HIPAA requirements? It depends on a variety of factors.

How Long Does HIPAA Compliance Take?

In short, you should expect to spend several months preparing for HIPAA compliance, and anywhere from weeks to months on an actual assessment. However, the exact timeline depends on a number of factors:

• The size and distribution of your startup
• The current lack or abundance of documentation for policies, procedures, and controls
• The complexity and level of risk of data, services, and processes
• The type of compliance verification you choose (We talk about options in the What HIPAA Requirements Does My Startup Need to Be Compliant section above.)

For example, if you decide to pursue a HITRUST CSF certification, expect to spend two to three months preparing, and two weeks to four months on the actual engagement. The length of the engagement depends on the type of assessment you choose to pursue. HITRUST offers a self-assessment and a validated assessment by a third-party assessor.

Keep in mind that HIPAA compliance isn’t a one-and-done affair. You need to renew your compliance every year. This becomes more important for startups as they mature and their size, services, customers, and complexity increase.

The first year typically requires the most time and effort. HITRUST certification, for example, lasts two years, with a less expensive and time-consuming interim review 12 months after the initial certification. In general, the subsequent years pose far less of a burden in terms of cost and time. That is, of course, if you keep up with maintenance and stay on top of things like evaluations, configuration changes, and documentation.

How Much Does HIPAA Compliance Cost?

HIPAA compliance costs depend on whether you pursue a third-party assessment or you handle everything in-house.

It’s important to note that time and cost often go hand in hand. So it should be unsurprising that your HIPAA compliance cost depends on the same factors that determine how long it will take. Team size, complexity and level of risk, documentation, and type of compliance all come into play here.

Now for the numbers. Using the same HITRUST example as above, here is how much you should expect to spend:

• $6,250 for a HITRUST self-assessment. That includes $2,500 for access to the HITRUST CSF tool over 90 days, and another $3,750 to submit your assessment for scoring, according to RSI.
• $30,000+ for a HITRUST-validated assessment. This assessment requires an auditor, and the price tag depends on the scope.

These costs don’t include indirect impacts, such as opportunity costs and salary dedication for in-house employees, legal fees, or significant process overhauls and technical needs. They also don’t include the cost of HITRUST upkeep.

Spend some time window shopping when you’re ready to settle on a HIPAA-compliance framework or vendor. Laika, for example, helps connect its customers with less-expensive, startup-experienced compliance partners. You may also be able to save some money by asking your customers if they’ll accept a different (less expensive) form of HIPAA validation.

Recommendations for Startups Seeking HIPAA Compliance

Although it’s not easy to become HIPAA-compliant, we can offer several tactics to make the process less challenging for startups.

Start with Risk Management, Not Technical Controls

We’ve found that founders tend to jump straight to technical controls when they start with compliance. They see the required controls and believe that the best way to start is by getting those in place — not only to make progress but also to protect their data.

Instead, we recommend that startups begin building toward meeting HIPAA requirements with a risk-management program. That is because much of HIPAA evaluation is done using a risk-management methodology.

By understanding the possible risks and risk levels before jumping to controls, you better position yourself to identify and implement more appropriate and effective controls. In putting risk management first, you can actually help yourself prioritize and comply faster in the long run.

Limit the PHI Your Startup Works With

Techniques like data aggregation and tokenization help startups limit the amount of PHI they need to protect as part of HIPAA compliance.

Data Aggregation

Remember that health information is protected by HIPAA only when it’s combined with identifiers that can tie that data back to the corresponding individual. Data aggregation presents health information without the identifiers.

For example, a hospital’s annual report that provides information about intake numbers, average patient age, and other aggregate data would not be considered PHI because it wouldn’t tie any of that health information to the corresponding individuals.

Data Tokenization

This technique transforms sensitive information into a senseless combination of characters. It’s useful for when you do not need the information (such as PHI or a Social Security number), but you do need to pass this information downstream to a vendor, such as a billing service, for processing. The PHI then exists within your environment as a token and removes many of the requirements from your systems.

As your startup matures, take a hard look at what information you need to collect to serve your customers and what you can leave by the wayside. The less PHI your startup needs to handle, the lighter your HIPAA burden.

Build Your HIPAA-Compliance Dream Team In-House

Last year, the United States experienced a shortfall of nearly 314,000 cybersecurity professionals. That shortage is expected to grow to 1.8 million in 2022. This puts startups in a bad position if they want to hire an external expert to handle their HIPAA requirements.

The lack of compliance experts means that people who want to hire them pay more for their expertise and make sacrifices on whom to bring in, or under what circumstances. This reality makes it more attractive to handle HIPAA compliance in-house.

Today, more startups are leaning on compliance solutions like Laika to either get more breathing room before making a strategic hire or completely replacing the need for an external hire.

They’re also using a divide-and-conquer approach to handling compliance in-house. That means splitting the responsibility among the team members whose day-to-day jobs already coincide most with a startup’s security needs. For example, instead of handling HIPAA requirements on their own, founders will enlist their engineers to manage HIPAA security controls and assign risk management to an operations team member.

As you grow, consider making an existing employee in charge of marshaling compliance. This might look like the CTO in many startups. For others, whose customers require a NIST, SOC 2, or ISO 27001 framework in place, the sales team might take their role in advocating for compliance.

Use a HIPAA-Compliance Solution Like Laika

Compliance solutions provide crucial, company-specific guidance for startups looking to become HIPAA-compliant. For example, Laika provides that initial structure that’s critical when creating the risk framework your startup needs to become HIPAA-compliant.

When leaning on Laika as you pursue HIPAA compliance, you’ll already know what you need to have in place to meet the expectations of your third-party reviewer. You’ll also have time to work on building your risk-management system at your own pace, so you won’t have to drop everything when the consultant arrives with their list of controls.

Laika doesn’t just give you the guidance you need to get up and running in an organized and quick manner. We also stick around to help for a year, so you can rely on us long after that initial assessment. This is particularly useful for growing startups that need to think about different markets, methodologies, use cases, and other concerns as they mature and prepare for the next annual HIPAA review.

Our concierge team is made up of experts across all compliance needs (HIPAA, ISO, GDPR, SOC 2, technical controls, etc.). When you work with Laika, you get insight across the board, not just on HIPAA-specific things. You’ll have an edge because you’ll understand how different compliance frameworks interact to create the best solution for your startup’s specific needs.

On a more tactical level, Laika makes it much easier to fill out due-diligence questionnaires. We’ve seen startups take up to 11 hours to fill out their clients’ due-diligence questionnaires. Laika saves and organizes your responses so you don’t have to start from scratch every time. This cuts down that operational burden to under an hour per questionnaire.

Compliance Is About Helping People, Not Checking Off HIPAA Requirements

What’s easy to lose in all this is the reason startups need to comply with HIPAA in the first place.

HIPAA’s purpose isn’t to drive founders mad. It’s not to drain startups of critical time, money, or energy. HIPAA’s goal is to protect people and their important medical information.

When you invest in HIPAA compliance, you’re not just opening your startup for business with health providers; you’re telling the world that you take the public’s privacy, security, and well-being seriously. What’s more, HIPAA compliance signals to potential customers that your startup is established and trustworthy, giving you an edge over your competition. It’s a solid growth strategy, particularly for startups looking to move upmarket in the health space.