Talk to us!

Overview

We’ve helped a number of clients successfully align to HIPAA good practices to ensure their products are ready for entry into the United States of America (USA) healthtech market. But what exactly is HIPAA and how does it differ to legislation and compliance frameworks in the UK?

HIPAA stands for ‘The Health Insurance Portability and Accountability Act of 1996'

HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued a number of rules including the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule was also introduced to protect a subset of information covered by the Privacy Rule. More details below:

1. Privacy rule - The Privacy Rule protects the PHI and medical records of individuals, with limits and conditions on the various uses and disclosures that can and cannot be made without patient authorisation
2. Security rule - standards, methods and procedures related to the protection of electronic PHI on storage, accessibility and transmission

Note: Other rules, including the Transaction and Code Set rules also exist with a view of bringing standardisation to the electronic exchange of patient identifiable information in the USA. Also, the identifiers rule that ensures patients, healthcare organisations, health plans and payers can be uniquely identified. 

Does HIPAA apply to my healthtech innovation?

If the USA is a target market for your product then, yes, HIPAA applies. Here is a breakdown of some HIPAA terms that will enable you to determine how this applies to you.

The HIPAA Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called ‘covered entities (CE).’

A covered entity is effectively a healthcare provider, think GP or hospital in a UK context, in the US that could be a Family Physician, Insurers, care givers, hospitals, etc. These ‘covered entities’ may leverage ‘business associates’ (BA)  to deliver healthcare services.

A ‘business associate’ is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Typically, healthtechs fall into the category of ‘Business Associate’ but they can also be a ‘Covered Entity’ depending on service configuration. Depending on your classification under HIPAA you’ll have to comply with different aspects of the HIPAA ruleset.

How can I best prepare to become ‘HIPAA certified’?

Firstly, it is important to note that the Department of Health and Human Services' Office for Civil Rights (OCR) undertake annual HIPAA audits. These involve a random selection of CEs and BAs for audit so it is imperative you prepare and maintain a robust HIPAA evidence file and that you build a compliance culture in your organisation.

The HIPAA rules consist of hundreds of clauses that ask for specific evidence, but the good news is that if you are already DTAC compliant the overhead and understanding you will need to build within your healthtech will be a lot less than if you were starting from scratch.

This is mainly because you will already have a lot of aspects of the privacy and security rules covered. A good exercise would then be to map that evidence to the HIPAA audit clauses, close any gaps and maintain your compliance.

If you are not DTAC compliant and the UK is not a target market, you’ll need to start by getting the basics in place, which include:

1. Information security policies and SOPs
2. Data Protection policies and SOPs
3. Cyber Security policies and SOPs

OK, I’ve done the hard work, but how do I prove my HIPAA compliance?

Much like the NHS DTAC, there is no government or other authority in charge of issuing ‘HIPAA certificates’ to prove your compliance. And again, much like DTAC, one reason is because HIPAA, like DTAC, is a living standard. You need to maintain appropriate measures and controls as your organisation and products evolve.

There are further ways to reputably prove your compliance for HIPAA however and if you’d like to know more, or require assistance and guidance with DTAC or HIPAA, please do get in touch.

Book a discovery call with the Acorn Compliance team today.