How To Register At Greenhouse Laika

HIPAA wasn't written for tech startups. It's difficult to translate vague, risk-focused HIPAA requirements into actionable controls and policies. What's more, information technology takes pregnant time, coin, and effort to become HIPAA-compliant.

Nonetheless many startups need HIPAA compliance to abound and thrive. Non merely do startups demand to run into HIPAA requirements to handle certain types of data, but they tin't even dream of working with customers in the wellness manufacture without compliance; federal law (and the customers themselves) simply won't let information technology.

To assist startups looking to navigate the complexity of HIPAA compliance, we mapped out the most important things founders need to know. This resource runs through why HIPAA is of import for startups, how much it costs, what'due south involved, and what'due south recommended for startup teams pursuing compliance.

Hither, you'll learn everything your startup needs to get started with HIPAA:

What Is HIPAA Compliance, and Does My Startup Need It?
What HIPAA Requirements Does My Startup Need to Exist Compliant?
Fourth dimension and Toll of HIPAA Compliance
Recommendations for Startups Seeking HIPAA Compliance
HIPAA Compliance Is Almost Helping People, Not Checking Off Requirements

What Is HIPAA Compliance, and Does My Startup Demand It?

Before we dive into HIPAA requirements, let's walk through what HIPAA is and why startup founders should care about it.

What Is HIPAA?

Doctors' offices, health insurers, and the startups that serve them need to meet federal regulatory compliance rules defined past the Health Insurance Portability and Accountability Deed (HIPAA). Among many other things, HIPAA sets national security and privacy standards for certain types of health data and is enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Homo Services.

However, HIPAA was passed in 1996, in a time before smartphones and tech startups. It wasn't written with today'due south health-information needs in mind. Since and so, lawmakers accept updated information technology several times to better align information technology with current bug facing the privacy and security of health information.

Does My Startup Need to Exist HIPAA-Compliant?

It depends on the type of data yous handle and what your customers require.

Do You Handle Protected Health Information (PHI)?

Protected health data (PHI) is any individual's health information. If your startup handles patient records (past or present), payment information, or test results, chances are, you're working with PHI.

On its own, health information (like a claret force per unit area reading) isn't PHI. Neither is personal information like a proper noun, phone number, or Social Security number. PHI is a combination of health data and any identifier that could link that information to a specific person.

Health information includes everything about a person's by, current, and future wellness (diagnoses, health intendance coverage, payment for medical services). For example, patient or family unit medical history records, bills from a primary care physician, or lab results are all considered health information in the optics of HIPAA.
Identifiers, on the other manus, include any demographic information that could be used to identify an private. HIPAA protects 18 identifiers, including names, phone numbers, electronic mail addresses, Social Security numbers, account numbers, license plate numbers, photos, fingerprints, etc. Identifiers need to exist protected merely when combined with health data.

Still confused? Here'south an instance: A patient's infirmary bill is PHI because it reveals health information in combination with other information that identifies the patient. If the record shows merely the health data and Not the personal identifiers (name, accost, phone, email, payment info, etc.), then it does not demand to be protected under HIPAA.

Do Your Customers Need Yous To Be HIPAA-Compliant?

In many cases, your customers will need your startup to comply with HIPAA in club to even consider working with you.

HIPAA applies to two types of organizations: covered entities and business associates.

Covered entities are health care providers, such as clinics, pharmacies, nursing homes, clearinghouses, health insurers, and government health programs, amongst others.
Business assembly are organizations or individuals who handle protected health information while working with a covered entity. HR startups like WageWorks and Greenhouse are considered business assembly under HIPAA because they handle employee benefits data.

If your startup handles PHI while working with other organizations, that makes you a business organization associate as far equally HIPAA is concerned. That means y'all'll demand to sign a concern acquaintance agreement (BAA) in gild to work with those customers.

A BAA is a contract that defines how PHI will be used and protected by the business acquaintance. It ensures that the business associate complies with HIPAA and that the covered entity reports and stops working with that vendor if any breaches or violations arise.

Simply it gets more complicated than that.

Say your SaaS startup provides a dashboard that helps health care providers manage their PHI. Considering y'all handle PHI for the wellness intendance provider, you are a business acquaintance. And because you work directly with a data hosting service, that makes the data host a business associate likewise.

In this scenario, think of your startup equally the middle link in a chain of HIPAA compliance. You would demand a BAA with the health care provider AND the data host. But the data host wouldn't demand a BAA with the health care provider.

What Happens If My Startup Isn't HIPAA-Compliant?

If there are no data breaches, no data leaks, no issues, then nothing is likely to happen. Usually, an OCR audit doesn't happen unless an employee, customer, or vendor reports your lack of compliance. Simply if something does happen, then you're subject field to some pretty pregnant fines.

The global average total price of a data breach amounts to $3.92 million, impacting 25,575 records at $150 per record, according to a 2019 IBM/Ponemon Institute study. For wellness care companies, it's fifty-fifty worse. The average cost of a data breach for U.Southward. wellness care companies is $6.45 one thousand thousand, surpassing the global all-manufacture boilerplate, according to the same written report. That's an average per-record toll of $429.

It'south important to note that actual federal fine amounts depend on the severity of the breach and negligence. The totals besides include breach containment and notification costs, business disruption, acquirement cost, customer turnover, reputation losses, and other long-term impacts.

Every bit mentioned above, companies in the health industry can't legally work with startups without a BAA if PHI is involved. Failing to become HIPAA-compliant ways your sales team won't be able to shut deals and your startup will struggle to move upmarket.

What HIPAA Requirements Does My Startup Need to Exist Compliant?

Now that nosotros understand what HIPAA is and why it's important for startups, let's accept a look at the HIPAA requirements and frameworks that founders demand to know.

How to Brand Sense of HIPAA Regulatory Requirements

HIPAA is cleaved up into three different rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The HIPAA Security Dominion

The HIPAA Security Rule establishes administrative, physical, and technical safeguards for electronic PHI. It's similar to main security frameworks such as NIST SP 800-53 and ISO 27001.

In adhering to the HIPAA Security Rule, you lot'll need policies and procedures in identify to accost the post-obit items, among others:

Administrative

Risk analysis and management
Sanctions for employees who don't comply with policies
Regular review of system activity
PHI access rights
Awareness and training (password controls, log-in monitoring, training reminders)
Incident protocols
Contingency planning

Physical

Office/facility access (including contingency admission for emergencies)
Office/facility security
Device/computer security and access
Physical PHI storage (device disposal, data fill-in, etc.)

Technical

Unique user identification
Automatic log-off
Encryption and decryption
Auditing app and backend activity
MFA and other authentication
Integrity controls

For help translating HIPAA'south Security Rule requirements for your startup, cheque out these resources:

Security Hazard Assessment Tool: While not meant specifically for tech startups, this government-offered awarding helps pocket-sized to medium-sized companies navigate HIPAA Security Rule standards.
NIST HIPAA Security Rule Toolkit: This application helps organizations bear a self-assessment and identify gaps in Security Rule adherence. (Note: NIST no longer supports this toolkit.)
Laika: We provide custom HIPAA-compliance road maps tailored specifically for your startup'south needs. Our team of HIPAA experts will work with you to make compliance quick and pain-free.

The HIPAA Privacy Dominion

The HIPAA Privacy Rule sets guidelines for what you tin and can't practice with PHI. For case, HIPAA's Privacy Dominion

defines allowed employ cases and disclosure of PHI;
gives individuals access to their PHI, the ability to know who else has seen it, and some command over how their PHI is used;
makes sure PHI disclosure is limited to merely the information that's needed;
stipulates what organizations have to do in order to protect PHI; and
establishes penalties for PHI mishandling.

The HIPAA Breach Notification Rule

In one case role of the Privacy Dominion, the Breach Notification Rule, defines a breach and what must be washed if one occurs.

This dominion goes into detail well-nigh who needs to exist notified, how, and when. For example, the dominion stipulates that covered entities must, within 60 days of a breach, ship first-class mail or an email informing patients whose PHI was put at run a risk in the alienation. It besides defines when businesses have to notify the media and the U.Due south. Department of Health and Human Services.

Choose Your HIPAA Gamble: 3rd-Party Review, HITRUST Certification, or Security Framework

Knowing the three aforementioned rules is just the outset. Translating them into actionable objectives for your startup takes a bit more work. Thankfully, yous accept some options to help you lot with this chore.

The OCR provides some resources for organizations to become HIPAA-compliant on their own (encounter higher up). However, most companies bring in a 3rd-party reviewer, pursue HITRUST certification, or follow a security framework to make sure they do it right.

Third-party HIPAA Review

A reviewer provides an unbiased study nearly your policies, procedures, and controls through the lens of HIPAA.

Unlike other audits (a SOC 2 Blazon ii inspect, for example), an annual HIPAA review doesn't require evidence that your company actually executes on those policies, nor does it attest to your controls. It does, however, provide more than peace of mind for organizations and customers.

HITRUST CSF Certification

The Health Data Trust Alliance (HITRUST) is an system that maintains the Common Security Framework, a risk-direction framework that pulls from other well-known compliance frameworks (HIPAA, NIST, ISO, PCI).

The HITRUST CSF is more prescriptive than HIPAA while covering the necessary controls.

Security Framework

Many companies pair HIPAA with either the NIST SP 800-53 or the ISO 27001 security framework for boosted guidance as they pursue HIPAA'south Security Rule.

NIST SP 800-53: This stands for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Data Systems and Organization. It was published to help federal agencies amend their information security.
ISO 27001: The ISO 27001 framework is like to NIST SP 800-53, except information technology'southward internationally recognized. It'due south frequently called by startups that work exterior of the United States. We talk about information technology more in detail in A Founder's Guide to Deciphering the Correct Compliance Framework for Your Startup.

Time and Cost of HIPAA Compliance

How much time and money should you expect to spend on meeting HIPAA requirements? Information technology depends on a variety of factors.

How Long Does HIPAA Compliance Have?

In brusk, you should expect to spend several months preparing for HIPAA compliance, and anywhere from weeks to months on an actual assessment. However, the verbal timeline depends on a number of factors:

The size and distribution of your startup
The current lack or abundance of documentation for policies, procedures, and controls
The complication and level of risk of information, services, and processes
The blazon of compliance verification y'all choose (We talk about options in the What HIPAA Requirements Does My Startup Need to Be Compliant section above.)

For example, if you lot decide to pursue a HITRUST CSF certification, wait to spend two to iii months preparing, and two weeks to iv months on the actual engagement. The length of the engagement depends on the type of assessment you choose to pursue. HITRUST offers a self-cess and a validated cess by a tertiary-party assessor.

Go along in listen that HIPAA compliance isn't a one-and-done affair. You need to renew your compliance every year. This becomes more of import for startups every bit they mature and their size, services, customers, and complexity increase.

The first year typically requires the most time and effort. HITRUST certification, for instance, lasts ii years, with a less expensive and time-consuming interim review 12 months after the initial certification. In general, the subsequent years pose far less of a burden in terms of cost and time. That is, of course, if yous go on up with maintenance and stay on acme of things like evaluations, configuration changes, and documentation.

How Much Does HIPAA Compliance Cost?

HIPAA compliance costs depend on whether you pursue a third-party cess or y'all handle everything in-firm.

It'due south important to note that fourth dimension and cost often become manus in paw. So information technology should exist unsurprising that your HIPAA compliance cost depends on the same factors that determine how long it will take. Team size, complexity and level of take a chance, documentation, and type of compliance all come into play hither.

Now for the numbers. Using the aforementioned HITRUST example as above, here is how much you lot should expect to spend:

$half-dozen,250 for a HITRUST self-assessment. That includes $2,500 for admission to the HITRUST CSF tool over 90 days, and some other $3,750 to submit your assessment for scoring, according to RSI.
$30,000+ for a HITRUST-validated assessment. This assessment requires an auditor, and the toll tag depends on the telescopic.

These costs don't include indirect impacts, such every bit opportunity costs and salary dedication for in-house employees, legal fees, or significant process overhauls and technical needs. They also don't include the toll of HITRUST upkeep.

Spend some fourth dimension window shopping when you're gear up to settle on a HIPAA-compliance framework or vendor. Laika, for example, helps connect its customers with less-expensive, startup-experienced compliance partners. You may also be able to save some money by asking your customers if they'll have a unlike (less expensive) course of HIPAA validation.

Recommendations for Startups Seeking HIPAA Compliance

Although it'southward non easy to become HIPAA-compliant, we can offer several tactics to make the procedure less challenging for startups.

Outset with Risk Management, Not Technical Controls

We've found that founders tend to jump straight to technical controls when they offset with compliance. They see the required controls and believe that the best way to start is past getting those in identify — not simply to make progress but too to protect their information.

Instead, we recommend that startups begin building toward meeting HIPAA requirements with a adventure-management program. That is considering much of HIPAA evaluation is done using a risk-management methodology.

Past agreement the possible risks and take chances levels earlier jumping to controls, you better position yourself to identify and implement more than appropriate and constructive controls. In putting chance management first, you can actually help yourself prioritize and comply faster in the long run.

Limit the PHI Your Startup Works With

Techniques like data assemblage and tokenization assist startups limit the amount of PHI they need to protect as part of HIPAA compliance.

Data Assemblage

Remember that wellness data is protected by HIPAA only when it's combined with identifiers that tin can tie that data back to the corresponding individual. Data assemblage presents health information without the identifiers.

For example, a infirmary'south annual report that provides information virtually intake numbers, average patient age, and other aggregate data would not be considered PHI because it wouldn't tie any of that wellness information to the corresponding individuals.

Data Tokenization

This technique transforms sensitive information into a senseless combination of characters. It'due south useful for when you do non need the information (such as PHI or a Social Security number), but you practise demand to pass this information downstream to a vendor, such equally a billing service, for processing. The PHI then exists inside your environs every bit a token and removes many of the requirements from your systems.

Every bit your startup matures, accept a hard wait at what information you need to collect to serve your customers and what you tin can go out past the wayside. The less PHI your startup needs to handle, the lighter your HIPAA brunt.

Build Your HIPAA-Compliance Dream Team In-House

Terminal yr, the Us experienced a shortfall of nearly 314,000 cybersecurity professionals. That shortage is expected to grow to 1.8 million in 2022. This puts startups in a bad position if they want to rent an external expert to handle their HIPAA requirements.

The lack of compliance experts means that people who want to hire them pay more for their expertise and make sacrifices on whom to bring in, or under what circumstances. This reality makes it more attractive to handle HIPAA compliance in-house.

Today, more than startups are leaning on compliance solutions like Laika to either go more than breathing room before making a strategic rent or completely replacing the need for an external hire.

They're also using a divide-and-conquer approach to handling compliance in-firm. That ways splitting the responsibleness among the team members whose twenty-four hours-to-day jobs already coincide most with a startup's security needs. For instance, instead of treatment HIPAA requirements on their own, founders will enlist their engineers to manage HIPAA security controls and assign run a risk direction to an operations team member.

Every bit yous abound, consider making an existing employee in charge of marshaling compliance. This might look like the CTO in many startups. For others, whose customers require a NIST, SOC 2, or ISO 27001 framework in place, the sales team might take their part in advocating for compliance.

Employ a HIPAA-Compliance Solution Like Laika

Compliance solutions provide crucial, company-specific guidance for startups looking to get HIPAA-compliant. For example, Laika provides that initial structure that'south critical when creating the risk framework your startup needs to become HIPAA-compliant.

When leaning on Laika every bit you pursue HIPAA compliance, you'll already know what you need to take in place to encounter the expectations of your third-party reviewer. You'll also have time to work on building your adventure-management system at your own pace, and then you won't have to drop everything when the consultant arrives with their list of controls.

Laika doesn't just requite you lot the guidance yous need to get upward and running in an organized and quick manner. We also stick effectually to help for a year, and then y'all can rely on us long later that initial assessment. This is particularly useful for growing startups that need to think nigh different markets, methodologies, utilize cases, and other concerns as they mature and fix for the side by side annual HIPAA review.

Our concierge team is made up of experts beyond all compliance needs (HIPAA, ISO, GDPR, SOC 2, technical controls, etc.). When you lot work with Laika, you lot become insight across the board, not just on HIPAA-specific things. You'll have an edge because you lot'll understand how dissimilar compliance frameworks interact to create the all-time solution for your startup's specific needs.

On a more than tactical level, Laika makes it much easier to make full out due-diligence questionnaires. Nosotros've seen startups take upward to xi hours to fill out their clients' due-diligence questionnaires. Laika saves and organizes your responses so yous don't take to start from scratch every fourth dimension. This cuts downward that operational brunt to under an hour per questionnaire.

Compliance Is Virtually Helping People, Not Checking Off HIPAA Requirements

What's piece of cake to lose in all this is the reason startups need to comply with HIPAA in the offset place.

HIPAA's purpose isn't to drive founders mad. It's non to drain startups of critical time, coin, or energy. HIPAA'due south goal is to protect people and their important medical information.

When you invest in HIPAA compliance, y'all're non but opening your startup for concern with health providers; you're telling the world that you take the public'southward privacy, security, and well-being seriously. What's more, HIPAA compliance signals to potential customers that your startup is established and trustworthy, giving you an border over your competition. It'due south a solid growth strategy, especially for startups looking to movement upmarket in the wellness infinite.