You’re a budding startup or even a profitable small business, but you want to take that next step and break into the healthcare market. You’ve heard stories about the complications of interfacing with hospitals, doctors’ offices, patient records, insurance companies, and biotech firms. The red tape alone is enough to make you back away slowly, and with the requirements around data, privacy, and security policies, who could blame you?
It doesn’t have to be this daunting. Let’s unpack what it takes to achieve HIPAA compliance, cut through the noise, and provide actionable insights on how to get there, fast.
This isn’t your typical whitepaper. We’re not putting this behind a paywall or creating some massive corporate PDF. The goal here is to explain HIPAA as simply as possible. Albert Einstein said it best: “If you can’t explain it simply, you don’t understand it well enough.” I’d add: “MSSPs are trying to upsell you services by overcomplicating compliance frameworks instead of offering true partnership.”
Let’s start with the basics: what is HIPAA? At a high level, it’s a set of controls that your business must adhere to when operating in the healthcare market. Whether you’re a third-party vendor in IT or a company handling healthcare data, you need proper operating procedures and policies around data storage. It’s not a technical swath that can be deployed using Infrastructure as Code (IaC) or other programmatic controls. It’s also, not a one time thing, it’s a philosophy and constant adherence to the overarching framework, baked into an organization.
Can some HIPAA controls be satisfied with technical rollouts? Absolutely. But, turning encryption on at the database layer isn’t enough. In 2019, Jackson Health System in Florida was fined $2.1 million after a breach exposed patient records. The fine wasn’t for the breach itself and it certainly wasn’t because they were encrypting data at rest. It was because the organization was operating in a PHI market and failed to implement risk assessments, proper policy and procedure, and incident response. For more information on what is considered PHI, Read more here. But, the short of it is any data that is individually identifiable, demographic data, medical histories, test results, insurance information, etc.
The 30,000 foot view of becoming compliant includes the following:
- Develop policies
- Appoint a compliance officer
- Train employees
- Conduct risk assessments
- Implement technical and physical safeguards
- Manage third-party risk through Business Associate Agreements (BAAs)
- Plan for Incident Response
- Cultivate a culture of compliance
Risk and privacy assessments are essential to a well-rounded HIPAA compliance checklist. An auditor or skilled team member should compare your company’s current controls to HIPAA’s requirements in what’s called a “Gap Analysis.” In plain English: assess your current security posture, policies, and procedures against HIPAA’s standards. You can use a spreadsheet, matrix, or Google Doc to highlight the gaps for remediation. If you’re lost already, reach out here.
Policies are the foundation. We need written guidelines with clear evidence of how we operate. Wondering “How do we know what to even write in these policies?” That’s what we help with. Get in touch here. Also wondering “Who will make sure we stay compliant and implement affordable tools to enforce these policies?” We do that too. Ask about our vCISO services here.
Policies establish standards for how employees, contractors, and vendors operate. They guide data retention practices and ensure you can show evidence, in code or in practice, that you’re following your stated philosophy. There are too many to detail here, but we’ve already built them all and can tailor them to your company’s specific requirements. Contact us here to learn more.
Next come procedures. Policies define the “what” and “why,” but procedures explain the “how.” For example:
- What do we do during a breach?
- What happens when we invoke incident response?
- How do we provision equipment for new employees?
- What does onboarding and offboarding look like?
All of this must be documented (a Google Doc works fine), but it must also be followed consistently. If you need help, reach out here.
So what enforces compliance? HIPAA is a self-attestation framework, meaning there’s no official certification process from the Department of Health and Human Services (HHS). Organizations are expected to perform self-audits with a “good faith” effort to comply. However, most healthcare companies will require an independent HIPAA audit before signing partnership agreements or SLAs. In other words, it’s a self-regulating market.
What does this mean for your business? At a high-level appointing or hiring a vCISO (Virtual CISO) is a great way to offload security responsibility to a trusted professional. vCISO’s can act as your Chief Data and Chief Security Officer, both required to remain HIPAA compliant. Small companies can leverage managed services such as vCISO to remain compliant without the overhead of hiring a security team. Keeping your team lean and focused on feature building, fractional security teams can monitor compliance, conduct frequent gap analysis, update policy dynamically based on changing business conditions, and provide overall governance for the teams security strategy.