OutsideCTO - HIPAA From Scratch

Introduction

This guide is about getting your small business compliant with HIPAA, the Health Insurance Portability and Accountability Act. The audience for this book is the owner of a business that wants to be a HIPAA Business Associate (BA).

⚛ Note
This guide does NOT constitutes legal, compliance, or clinical advice: Use at your own risk.

This guide does not cover HIPAA for a company that provides healthcare or insurance and holds data regarding its own patients or members: those types of companies would be considered by HIPAA to be Covered Entities (CEs). The physician practice that provides your everyday healthcare, a hospital, a healthcare insurance company: These are all CEs. A BA provides services to CEs but does not originate patient data. For example, a CE might share some patient data to the BA. That patient data is what you need to keep secure and is why you must follow HIPAA.

Here's one acronym we're going to define now, because we're going to use it a lot: PHI stands for Protected Health Information," and it's what you need to protect.

There are three core rules for HIPAA:

The Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (PHI). . . . The Rule . . . sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information.
The Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or emaintained by a CE [And, according to the HITECH Law of 2009, BAs]. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.

A BA is obligated to satisfy the Security Rule and the Breach Notification Rule. Strictly speaking, the Privacy Rule only applies to CEs. However, if you do any business with a CE, you will find that you will need to sign a HIPAA Business Associate Agreement (BAA), which will obligate you to follow the CE's requirements regarding the privacy of patient data. In my experience, the CE will obligate you to never share patient information except in a number of very narrow cases which the CE will define or are required by law.

In short, a BA has to be just as secure as a CE, but there are some rules regarding patient privacy that you may not need to implement in detail (but there's still plenty regarding privacy you'll need to know about!).

CEs might find this guide useful, but it is not really for them. Occasionally this guide will provide references to the actual HIPAA laws via Cornell University's Legal Information Institute.¹ For instance, the definitions of covered entity and business associate are at 45 CFR § 160.103. Critically, this chapter of the law also notes that a subcontractor of a BA is also itself a BA.

⚛ Note
If your business provides services to a CE, and you have access to the CE's patient data, you are in fact a HIPAA BA and must comply with HIPAA (even without a BAA) whether you like it or not.

Here are a couple of examples of work that you might want to conduct for a covered entity that require HIPAA compliance:

You are an expert in geographical information systems. The covered entity (CE) has engaged you to analyze patient addresses to see if there are any similarities or possible groupings according to the patient's geographical location (latitude and longitude). The covered entity intends to share the clinical data for 2,000 patients along with their addresses. Because addresses (and latitude and longitude) identify the patient, the data is considered protected health information (PHI), and you must be compliant with HIPAA in order to sign the Business Associate Agreement (BAA) sent to you by the CE. Also, note: if you intend to geocode the addresses into the latitude and longitude, you are going to have to do that yourself on your own secure infrastructure, or you're going to need to find a geocoding partner that is itself HIPAA-compliant.
You're a printer and a provider has engaged you to send mailings to patients. I'm afraid this is PHI as well. To my knowledge, no printer of such mailings has been fined by the government for a breach and/or lack of HIPAA compliance, but I expect that to happen sooner or later.

If you're a business that does work for a covered entity and you have access to patient data, what can happen if you do not adhere to HIPAA? Well, if you exposed patient data (committed a breach), you may have to pay. For example, in May of 2019, Health and Human Services (HHS) announced that Medical Informatics Engineering of Indiana had to pay a settlement of $100,000 and submit to a corrective action plan to settle a HIPAA breach from 2015. This company could have breached even if they had followed HIPAA scrupulously: But they didn't. Hence, they had to execute on costly corrective action plan to get the company to adhere better to the HIPAA rules.

I have learned of startups that have taken a cavalier attitude towards HIPAA and have signed business associate agreements with CEs, not knowing how exposed they become without taking steps to be compliant with HIPAA. Among the most egregious things non-HIPAA-compliant business sometimes don't do are:

Conduct a risk analysis (required by HIPAA § 164.308)
Designate a Privacy Official (required by HIPAA § 164.530)
Identify a Security Official (required by HIPAA § 164.308)
Encrypt patient information (you must do this if reasonable - HIPAA § 164.312)

I'm going to show you how to implement all of these things, piece by piece. The main reason to do this is because by building your compliance platform incrementally and early, you will be able to understand your risk more thoroughly.

Besides the compliance obligation, are you really exposed to attacks on your environment? In fact you are. According to the 2023 Verizon Data Breach Investigations Report (DBIR), 25% of all known breaches involve healthcare, finance/insurance, and/or information technology companies (p. 50). In healthcare, 98% of external attackers are financially motivated (p. 56). Insider threats are also real with 32% (pp. 52, 50) coming from "miscellaneous errors," which means that you have to implement systems that have guardrails to prevent unintentional screwups.

If you currently do not have any business, no contracts, no business structure (like an LLC, S-Corp, or C-Corp), no bank account for your business, no email: Well that's great! Because without a business you don't have much risk. Once you start building out your startup or small consultancy, each step is going to introduce risk. I am going to explain how to add components to your platform, and analyze (and mitigate) risk along the way.

At the end of each section, I'll provide an account of the milestones that have been passed in terms of identified risks and how those risks are mitigated; an account of the spend so far and how the monthly spend is growing; and a list of resources for further reading.

1. I like the Cornell site because the URLs are readable. For the government's official publications, see their e-CFR.