by Erika Pasieczny, M.Ed. and Sanaz Cordes, MD
Value Prop Shop is excited to bring you Part II of our Fireside Chat Series on Data Security for Healthcare Technology Startups with the founder of Trifecta General Counsel, Tripp Stroud. Tripp’s firm focuses on data security, cloud technology, and SaaS contracting for technology companies.
It is overwhelming for healthcare tech startups with limited resources to wade through daunting HIPAA data privacy requirements and make an action plan for compliance while building and scaling their product. But at Value Prop Shop, we continue to see that cybersecurity is top-of-mind for health system CIOs. Without a proper data security certification or assessment, or an action plan to obtain one, advancing a sale can be impossible for most startups. With certification often taking well over a year to complete, delaying data security compliance can be detrimental to sales, fundraising, and overall company success.
VPS: Even people deeply embedded in the healthcare tech space don’t fully understand the Federal requirements associated with HIPAA. Can we start here?
STROUD: Yes, understanding the evolution of HIPAA helps frame its current requirements and the routes to achieve them.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was issued by Congress.
The Department of Health and Human Services (HHS) then issued the Privacy Rule to implement HIPAA’s requirements.
The Privacy Rule addresses the handling of protected health information (PHI) by organizations referred to as “covered entities,” (typically payers and healthcare providers) for the purposes of treatment, operations, and payment.
Business Associates are people or companies outside of the covered entity's workforce, that perform or provide services or technology to a covered entity that involve PHI.
Within HHS, the Office for Civil Rights (OCR) enforces the Privacy Rule by issuing civil and criminal penalties for data breaches that compromise PHI.
The Security Rule pertains specifically to electronic PHI (ePHI).
VPS: Where do healthcare tech startups fit into the HIPAA labyrinth?
STROUD: Startups, as Business Associates of covered entities, are expected to be HIPAA-compliant. They deal specifically with ePHI, so they must meet all requirements of the Security Rule, including physical, administrative, and technical safeguards. The covered entities, such as health systems, often customize and add additional provisions beyond the Security Rule’s requirements – thus creating a sales challenge for startups.
Also, as business associates, startups are directly subject to OCR penalties for PHI breach. For a young startup with limited financial resources, the financial impact of a data security breach could unfortunately end their business and permanently damage the reputations of the founders and employees.
VPS: Does being certified as HIPAA-compliant protect startups from OCR penalties?
STROUD: From a healthcare tech startup’s perspective, there are many reasons to be certified as HIPAA-compliant, but certification doesn’t carry any official legal weight with the OCR if there is a data breach. Being certified can help the startup plead their case, and it also provides these other advantages:
Most importantly, by ensuring the appropriate precautions are in place, it helps prevent a data breach by a startup that could compromise patients’ privacy.
It helps overcome security and compliance-related barriers to sales – as health systems continue to tighten data security requirements. Being able to demonstrate HIPAA compliance in a way that’s nationally recognized is a huge sales advantage for a healthcare tech company.
It helps reduce the costly technical debt to modify a product to become HIPAA compliant. This debt can have downstream consequences such as poor valuations, challenges with fundraising, and risks to potential acquisition.
National certification helps achieve some of the requirements to international certification (General Data Privacy Regulation) for a startup that plans to expand beyond a domestic market.
VPS: HIPAA-certification basically comes in 2 flavors: SOC 2 and HITRUST. Can you provide a simplified overview of these two models?
The Service and Organization Controls (SOC 2) Report was created by the American Institute of Certified Accountants to test and report on the design (SOC 2 Type I) and operating effectiveness (SOC 2 Type II) of an organization’s controls to meet HIPAA requirements. These controls span technical, physician, and operational processes. Accounting firms such as Ernst and Young have consultants that create the report where any deficiencies and vulnerabilities are described, as well as the actions to mitigate them.
The Health Information Trust Alliance (HITRUST) is a nonprofit organization that created and maintains the Common Security Framework (CSF) to streamline data security and compliance for business associates and covered entities. The alliance assesses vendors using 1,000+ checkpoints to certify that the company is HIPAA compliant.
VPS: What should startups understand regarding the decision to pursue SOC 2 or HITRUST?
STROUD: Most of the large health systems are now requiring HITRUST certification for software vendors that deal with PHI. As a result, we are seeing startups that initially went down the SOC 2 path circling back to obtain HITRUST certification.
It is important to note that HIPAA compliance is not required for digital health startups who sell direct to patients or consumers. I would caution that even these B2C startups should consider the possibility of future B2B partnerships with covered entities who might provide their app to patients. In these scenarios, HIPAA-compliance would become relevant.
VPS: What is your advice for early-stage startups as begin identifying their data security strategy and path to certification?
STROUD: Younger startups who work with PHI should build their product, from the outset, in a HIPAA-compliant way. They can certainly invest the time and resources to do it themselves, there are also data security vendors that can provide these services. Vendors such as Datica, for example, provide a compliant cloud platform on which to develop secure applications for healthcare users.
Groups like Datica have already done the compliance heavy lifting for app developers. Groups who build apps on a platform like Datica’s inherit in large part the platform’s HITRUST CSF Certification as well as the controls built into the platform such as intrusion detection, backups and disaster recovery, and system access monitoring. Engaging a compliance vendor is an attractive option that allows startups to focus on their core business and experts handle and staff their data security needs.
To learn more about attorney Tripp Stroud and Trifecta General Counsel, visit trifectagc.com