One of the great things about working here at Zen Healthcare IT is the opportunity to work with interesting startup stage Healthcare vendors. These innovative vendors are excellent at identifying a problem in healthcare and then developing purpose built devices and applications to address that problem. But early in their life cycle, they may have gaps in their knowledge that can negatively affect their ability to successfully sell to hospitals, health systems and/or providers.
The Zen team finds there are three essential steps to be prepared to sell into the healthcare marketplace:
- Be HIPAA ready
- Prioritize interoperability
- Be ready to show it off
Over this series of posts, we’ll dive into the details for each step.
First up – #1 on the list:
Be HIPAA ready!
Occasionally Zen talks to startup healthcare vendors who have not worked out all the details of how they will communicate with their prospects about HIPAA privacy requirements. They may have a general understanding of their responsibilities to protect PHI, and usually are focused on the security of PHI from a technical perspective, but not necessarily from a business perspective.
“Protected health information (PHI) under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a ‘Covered Entity’ (or a Business Associate of a Covered Entity), and can be linked to a specific individual.” – wikipedia
Vendors fall under the Business Associates category under HIPAA Privacy rules. Failure to comply with federal HIPAA privacy regulations carries with it significant penalties for both the startup company and its employees. And some of the risks associated with PHI breaches fall outside the purely technical. For example, PHI sharing when it really isn’t needed can occur during early discovery and implementation stages. These “avoidable” PHI sharing situations increase the possibility of a future PHI breach. Proactive HIPAA planning and policies reduce your risks significantly.
Here are some key business questions and tips related to HIPAA and HIPAA compliance that should be considered. We’ve also supplied some links to additional HIPAA resources at the end of this post.
Do the company executives, investors and/or Board fully understand The HIPAA Privacy rule related risks and liabilities? Is there an understanding that HIPAA compliance requires an investment of time and resources?
Consider using outside HIPAA experts to put a HIPAA Compliance Strategic Plan together early in the company life cycle.
Who is the internal designated HIPAA Security Officer? Is this person fully trained?
While Business Associates are not required to designate a HIPAA Security Officer, we highly recommend it. Designating a HIPAA Security Officer provides an additional level of accountability. 3rd party HIPAA training courses are relatively inexpensive and widely available, and should be taken annually to stay up to date. Advanced HIPAA classes are recommended for the HIPAA Security Officer.
Is there a written HIPAA Security Policy document?
Consider requiring that all incoming employees (full and part-time) review and “attest” to understanding and complying with all formal company HIPAA security and privacy policies.
Be sure to adopt the “minimum necessary data” principal. This is the principle of using the most minimum data set necessary to achieve a given task involving protected health information.
We recommend asking all employees to sign the HIPAA security policy document.
Consider scheduling internal HIPAA reviews monthly to review internal compliance.
How will you train your staff on HIPAA? Who on staff will need to have HIPAA training?
3rd party HIPAA online training courses are easy to implement. We strongly recommend that every employee take this training at least annually. Be sure to create an easy way to track when HIPAA training is due for each employee.
Supplement standard HIPAA training by documenting two or three common scenarios that apply directly to your business. Test your staff on what they would do if they encounter these scenarios. This simple, practical training will help keep privacy top-of-mind.
We recommend quarterly HIPAA refreshers on your security policy and best practices.
What are the ongoing, internal HIPAA compliance audit processes?
These should be documented in the HIPAA Compliance Strategic Plan and in the appropriate designated employee’s job descriptions.
Are company standard Business Associate Agreement (BAA) templates available for both clients and contractors?
Be aware there are different versions of the BAA needed when contracting with your clients versus contracting with outside consultants/vendors.
Do you have an experienced healthcare attorney available to review client’s Business Associates Agreements?
Many mid-sized to larger organizations will have their own BAA. It’s often easier/faster to use those. In some cases, it is required to use theirs.
A knowledgeable attorney or company executive should do a quick review to be sure the company isn’t being asked to take on more security/privacy related responsibilities than would normally be expected. For example, sometimes they contain restrictions related to technical resources located outside the U.S. having access to their systems.
Have you published an internal guide related to proper de-identification techniques?
This is important because not everyone may recognize identifying information when they see it. For example, a file might contain an insurance member ID along with other demographic data. This information when combined with several other pieces of data could be identifying.
The HHS has published guidance around proper de-identification methods. Healthcare Vendors should familiarize themselves with the Safe Harbor method discussed on this web page.
Have you obtained a secure, Direct messaging account?
Direct secure messaging is a HIPAA compliant method for transporting PHI. It is useful for vendors when a file or a sample message containing PHI needs to be securely exchanged with clients. Vendors can purchase a small number of Direct accounts for minimal cost. Zen uses Inpriva.
Has the sales team been briefed on common privacy and security questions that may arise during the sales cycle and how to handle those consistently?
No one should be able to tell you are a Startup during the sales process!
Additional HIPAA Resources:
We think HIPAA Store has affordable and useful resources for Business Associates. Here is a link to their Business Associate’s Compliance Guide. They also provide online training courses and other HIPAA related consulting.
A good detailed explanation of HIPAA from HHS:
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/
Looking for help?
Check back for part 2 – Prioritize interoperability
