HIPAA and foreign startups
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a series of regulatory standards that set forth the US national standards for the privacy, security, use and disclosure of protected health information (“PHI”). If your company deals with PHI or you work closely or handle the data, finances, data storage, or even data disposal of a company that deals with PHI, you could very well be subject to HIPAA implications. Here are five things to look out for regarding HIPAA compliance for foreign startups.
Am I required to comply with HIPAA?
HIPAA applies to “Covered Entities” and business associates. Covered Entities are generally healthcare providers, healthcare insurance plans and healthcare clearing houses (i.e., healthcare clearing houses are companies that act as intermediaries between healthcare providers and 3rd parties). If you’re not a Covered Entity, HIPAA also applies to business associates (“BA”). A BA is any entity that provides services for a Covered Entity that involves the receipt, use, disclosure, maintenance or transmission of PHI. In fact, it also covers subcontractors of a BA (i.e., a Sub-BA”) and subcontractors of a Sub-BA.
To better understand this, imagine a scenario where a hospital (Company A) engages an accounting firm (Company B) to audit its financials; Company B then makes use of a European SaaS company (Company C) for data storage; and finally, a Company C uses a European Company D for data security. Since all companies in this chain of transaction will of a necessity deal with PHI, Companies A, B, C and D are required to comply with HIPAA privacy and security regulations.
What exactly are the HIPAA Privacy requirements?
Under HIPAA, the use or disclosure of PHI require some form of prior written authorization from the owner of the PHI except in certain instances, such as for treatment, payment or public policy reasons. Additionally, the covered entities, BAs and Sub-BAs must grant each PHI owner individual rights, i.e., the rights to access their PHI, to direct how the PHI is used or disclosed and to be able to request and obtain a report of the use and disclosure of their PHI. Finally, HIPAA imposes certain administrative requirement of such company, including but not limited to the training of staff, development of internal privacy policies and the appointment of a privacy officer.
What then are the HIPAA Security requirements?
The HIPAA thoroughly outlines the security standards that a party bound to the HIPAA must comply with. These include administrative safeguards, including but not limited to conducting risk analysis, implementing risk management measures, security awareness and training programs, security incident procedures, sanction policies and having contingency plans in place. Other safeguards include physical safeguards (such as controlling access to locations and devices containing PHI by having locks, proper storage and rules of deleting date), technical safeguards (i.e., encrypting information, installing software to monitor access to PHI, and preventing unauthorized access during transmission of PHI).
Is there anything in particular I should watch out for?
One thing to watch out for is the business associate agreement (the “BA Agreement”). This agreement is one of the administrative safeguards that is required by HIPAA. This agreement usually defines what would be considered permitted use and disclose of PHI and HIPAA requires all BAs and Sub-BAs to enter into such agreement with the upstream Covered Entity. Via this agreement, the BA (or Sub-BA) would acknowledge its obligation to comply with the HIPAA’s privacy and security requirements mentioned above, provide individual rights to the owners of the PHI and enter into similar agreements with its own subcontractors.
Since this agreement may open your company (i.e., the BA or Sub-BA) to liability towards multiple parties, i.e., their contractual partner, the federal and state government, and the PHI owners, this BA Agreement should be negotiated with caution. We recommend engaging an attorney with HIPAA expertise when doing so.
So, what do I do in the event of a breach?
Three words — Notify, Mitigate and Revaluate. HIPAA requires that in the event of a data breach, the Covered Entity, BA or Sub-BA responsible for the breach is to notify the individual whose PHI was breached, the upstream Covered Entity (If a BA or Sub BA), the OCR and in some cases, the media. After confirming the breach, the next step is to mitigate the effects of the breach as much as possible. This may include providing the owner of the breached PHI with identity and financial fraud prevention tools. Finally, the entity responsible for the breach is required to reevaluate its internal processes to locate the reason for such breach and put in preventive measures to prevent future breach.
While some of the above requirements may sound familiar for foreign companies who are bound by the GDPR, it is important to note that there are differences between both legal regimes. For instance, HIPAA violations have been found for (i) failure to undertake HIPAA required risk analysis and management, (ii) unauthorized disclosure of PHI, (iii) sharing PHI with a vendor without a BA agreement, (iv) for not terminating a former employee’s access to PHI, and(v) for loss of a laptop containing unencrypted PHI.
Therefore, it is important that you consult a lawyer with necessary expertise to ensure that your company is HIPAA compliant. The above description of the HIPAA provisions in no way counts as legal advice, neither does it claim to explain the HIPAA exhaustively and it is in your best interest to engage a lawyer for any questions you might have.
