At any given time, I’m either building IT programs from scratch, constructing new offices, or conducting compliance and security assessments as an independent contractor for early stage companies. You can visit my website, theitplan.com if my approach resonates with you.
Team —
This is a big one. Beepers and Fax collided with SMS and in-app notifications about 12–18 months ago when VC funding flooded into the health tech space. We’re only now starting to feel the shock wave.
Part of that shock is that disrupting the healthcare industry looks different than the taxi cab industry. And wedging in an agile approach to building products doesn’t lend itself so well to highly regulated environments.
So, startups take one on the chin this time. Let’s get back to iteration, but this time around, start from a place of understanding the regulation. You got this.
Quick Note on HIPAA Compliance
This is a super misunderstood area for startup folk. The best way I can describe it is that it’s compliance not compliant. It’s a spectrum — there’s no such thing as HIPAA compliant.
This works to your favor — here’s why.
The expectations of your company are based on your abilities and resources to institute reasonable compliance measures. You’re not held to the same standard as Blue Cross Blue Shield.
It also reflects the regulation is largely a in the spirit of sort of thing, not a black and white, binary, guilty/not guilty problem. 65% street knowledge, 35% book knowledge. Also good.
But these being good for you depends on your willingness to understand HIPAA. Plowing forward without considering compliance won’t make you exempt from it and as we see with all things, fixing something after it’s been built is a lot more difficult (and costly!) then building it right-er the first time.
Each of these recommendations can be tied back to the Security Rule and Privacy Rule.
Before we jump in, there’s one more thing. HIPAA is a discussion. You don’t teach it, you discuss it. It’s never going to go away, you never get to a state where you don’t have to think about it, so the best recommendation I can ever make is to embrace it.
#1 Perform Annual HIPAA Compliance Training for All Staff
HIPAA Security Rule Requirement (Summarized): Ensure compliance by their workforce.
This makes sense, right? Before you can comply with something, you kind of have to know what it is. Shoot, the government even gives you the resources for free for this one.
Still not convinced? Okay, this is going to be the top checkbox on any audit, any assessment, and any insurance you try to get.
Here’s how I recommend tackling this one.
- Either create, buy, or find a HIPAA Compliance training video. If you buy or find, add in company-specific sections to make it relevant. If you can’t edit or modify it, pause it during the training and make it relevant.
- Create a Google Form survey with 5–10 questions to demonstrate comprehension of the material.
- Schedule and record trainings with a group size that is conducive to a Q&A at the end and open discussion of some items.
- Take attendance in the trainings and enforce comprehension quiz completion. Managers should be responsible for making this happen.
- Modify your onboarding process to require watching the best recording and taking the quiz.
- Repeat annually.
- Bonus — Tie this into your IT Security Training to protect the company against phishing, loss, theft, and exfiltration.
Wait — this one is so important, I’m not done yet.
You need to use this opportunity to teach employees how to distinguish between PHI, PII, and not-PHI/not-PII. This is important because you’re empowering these individuals to go off and make decisions about new services, data transfers, and sales pitches that don’t expose what HIPAA is intended to protect — patient health information. HIPAA revolves around PHI, so this is a distinction we need everyone onboard with.
Almost there.
The practices you’ll take to protect PHI are built off of IT security best practices that come from the National Institute of Standards and Technology (NIST). So not only are you improving HIPAA compliance, you’re better protecting company assets and instituting practices that are going to support you later stage SOC2, HITRUST, and other compliance initiatives.
This is an investment worth making in your self, team, and company.
#2 Advocate and Enforce Strong Passwords Everywhere
HIPAA Security Rule Requirement (Summarized): Identify and protect against reasonably anticipated threats to the security or integrity of the information
A strong password is a minimum 12 character non-dictionary word(s). If you can mix upper and lower case, add in a number, and an altern@te character, you’re golden.
Not only does this secure company assets, which includes company data and information, but it reduces the likelihood of brute force success against a service hosting PHI.
This is also going to pop up pretty early in any audit and vendor assessment.
If you want to make this easier on your team and improve productivity and align with an iterative approach to identity management (end state being SAML-based SSO + SCIM), sign up for a password manager and deploy it to the entire team. I begrudgingly recommend LastPass because it’s cheap, an OG in this field, and offers features that you won’t find in other entry-level competitors. If you hate my recommendation, the no-brainer alternative is 1Password.
#3 Enforce Multi-Factor Authentication Everywhere
HIPAA Security Rule Requirement (Summarized): Identify and protect against reasonably anticipated threats to the security or integrity of the information
In the words of Maya Angelou “…when you know better, do better.”
This is now a requirement given what we know about usernames and passwords. Plus, we’re all so used to it now that it’s not so bad, right?
#4 Encrypt Storage Mechanisms
HIPAA Security Rule Requirement (Summarized): Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
You must store PHI in a secure manner. Encryption is the generally accepted secure storage practice. This means computer hard drives, server hard drives, even USB drives if you’re using those (it is not recommendation to allow USB drives anymore as they’re a means of exfiltration — malicious, accidental, or neither).
For small companies, you can ask staff to provide screenshots as proof and/or issue computers encrypted but the best way is to use a Device Management service like Meraki Systems Manager, Microsoft InTune, Mosyle, Jumpcloud — there’s a lot of them out there. This allows you to enroll the computer and manage many settings, plus it gives you an inventory of company equipment.
For personal devices or phones, Google Workspace has a free or inexpensive option to enforce a PIN or passcode, which encrypts the device.
#5 Install an Antivirus and Firewall on All Machines
HIPAA Security Rule Requirement (Summarized): Identify and protect against reasonably anticipated threats to the security or integrity of the information
The built-in software in Windows is absolutely fine and all operating systems have a built-in firewall.
Macs and Chromebooks are a little more difficult but popular offerings include Sophos and Bitdefender and Malwarebytes. I advise against a heuristic based antivirus for many reasons, not the least of which is an insanely poor cost/benefit.
Just…please don’t give Norton any money.
#6 Adopt Policies for Signature Upon Hiring
HIPAA Security Rule Requirement (Summarized): Ensure compliance by their workforce.
In addition to training, this falls in line with giving staff an official reference for acceptable standards and practices within the company.
Nobody likes writing policies. So good news, you do not have to reinvent the wheel here. Not only can you find policy templates for free, but a simple one-pager that takes 15 minutes to write will suffice.
Keep in mind that policies reflect company practice. If you write a policy to be an ideal future state, it’s not a policy, it’s an IOU.
#7 Perform Background Checks for New Hires
HIPAA Security Rule Requirement (Summarized): Identify and protect against reasonably anticipated threats to the security or integrity of the information
This is a great diligence measure to show that you’re taking all reasonable measures to protect who is accessing patient health information.
Practically speaking, this is a cost of doing business measure. Goodhire is what many startups are using for this purpose.
#8 Add a Privacy Policy to your Website
HIPAA Privacy Rule Requirement (Summarized): The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.
Have you ever told a friend something you wanted to do and then felt like you had to do it? This is a great way to hold yourself accountable to good compliance practices, but it also provides the public a reference point for how you handle their data and the steps they need to take to request it.
Plus, it’s a great exercise for the team to understand how to treat sensitive information. Speaking of good exercises…
#9 Create Data Flow Diagrams
Not a HIPAA Rule Requirement
I’ve intentionally chose this one because it’s going to uncover all the ways in which you can improve. It includes printing PHI, emailing PHI — any transfer of PHI from one place to another. Since I can’t detail all of those, I’m hoping this practice will.
A chart outlining how PHI moves from place to place while it’s in your care accomplishes several things.
- It provides an opportunity to identify weaknesses, potential threat exploits, and opportunities to improve handling of PHI.
- It’s the easiest way to discuss the flow of PHI in any kind of meeting — internal, vendor, regulatory review or audit.
- It’s going to demonstrate and solidify the knowledge the team has gained through training and awareness measures.
Plus, it’s a nice break from coding all day.
#10 Create a Centralized Repository for Business Associate Agreements
HIPAA Privacy Rule Requirement (Summarized):The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Business Associates of a Covered Entity who handle PHI must treat that data as if they were a Covered Entity. An agreement (BAA) outlines these obligations and how they will be performed.
HHS even made a stock BAA for you.
You’ll need a BAA between any non-your-company entity that is, or has a reasonably anticipated potential to be, exposed to PHI.
#11 Log Who Accesses PHI Every Time
HIPAA Privacy Rule Requirement (Summarized): A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
HIPAA is all about bonus rules. It’s undergone so many revisions over the years that I just had to add a fun one at the end. Yes, you need to be doing this.
That’s a lot, huh? While it sort of scratches the surface of HIPAA compliance, I hope this is a helpful way to either improve your compliance posture or validate practices that are already in place.
Oh and to be clear, you only need to perform the recommendations here on services/locations containing PHI. But these are all considered basic best practices — they’re encouraged to be used wherever applicable.
I’m sure you got this, but if you need help implementing these or other measures, I perform compliance assessments, remediation, and reviews as an independent consultant (ie: a tenth of what Vanta quoted you). Good luck!
