Until this summer, a significant subset of U.S.-based healthcare entrepreneurs were unable to legally use one of the most fundamental, integral, and efficiency-boosting development tools out there: Amazon Web Services (AWS). Cue the sweaty palms and standing arm hairs of any developer reading this.
That’s because any healthcare startup that electronically transmits an individuals’ health information needs to comply with a set of laws from the Health Insurance Portability and Accountability Act (HIPAA). These laws, enacted in 1996, require that certain health information be protected by a set of privacy procedures and security safeguards for electronic transfer. Fair enough.
The trouble was that Amazon Web Services was unwilling to abide by the set of procedures needed to engage with companies that a required to be HIPAA compliant. There is a common contract called a Business Associate Agreement (BAA) that goes along with HIPAA compliance, and Amazon wouldn’t touch it.
The issue wasn’t that AWS (or any other big-name vendors) had privacy or security issues. Just the opposite: a gorilla like Amazon is quite secure, above and beyond others. They’ve got no other choice. But in order to be able to sign a BAA, there are some procedures you’ve got to implement, and Amazon didn’t want to. Things like agreeing to report a data breach, and promising that you wouldn’t further disclose protected health information were tough to stomach.
But it’s not just Amazon. The same reluctance was true of so many other vendors and services that health care entrepreneurs are so eager to use (like HubScout, Survey Monkey, and BugSnag, to name a few). The easy solution for them was simply to opt out altogether, leaving thousands of healthcare startups out to dry. Again, fair enough, and completely understandable. But over the last few years, as the technical and operational bits and pieces of a startup have been increasingly outsourced to efficiency-creating vendors, the digital health sector has been disadvantaged.
But today, September 23rd, 2013, a refresh on HIPAA officially goes live by way of a new piece of legislation called the HITECH Act. Among other things, like encouraging electronic medical record adoption, the new HITECH rules radically expand the definition of who needs to comply with a subset of the HIPAA rules. This changes the game, and because of it, many of the tools that have been off limits for certain health care entrepreneurs will now be fully accessible.
You see, there is a nuance in the HITECH rule: Let’s say you’re a vendor and the last thing on earth you want is to have protected health information anywhere near your service. You’d think that excuses you from becoming compliant, but it doesn’t. After the HITECH rule, if any customer sends this information through a vendor (whether they endorse it or not), and the vendor’s servers store this information, they’re subject to the HIPAA Security Rule. There is no mitigation of liability for an entity that refuses to enter into the requisite agreements that govern this relationship (again, called a BAA). In fact, a failure to enter these agreements becomes a violation on its own.
Amazon sufficiently prepared for this moment, and as of June 18th, 2013, AWS started signing BAAs.
Just last week, Survey Monkey announced by email that they’re now supporting HIPAA and will sign BAAs for customers on a Platinum plan. And here is a vendor trying to capitalize on the fact that other vendors might not be privy to these new changes.
The dominos are falling, and more will follow suit. After today, thousands of vendors might determine that they’re not currently compliant with HIPAA but need to be.
If you’re a vendor, this probably sounds horrible: the U.S. government jamming regulations down your throat. And yes, it is annoying. But healthcare entrepreneurs sit on the other side of the table, and after you dig into the details, needing to sign a BAA and comply with the associated regulations is more like a bee sting than a broken leg. It hurts a bit at first, might swell up and itch, but then you rub on the hydrocortisone cream and a week later you’re feeling just fine.
So if you think you might be in a position of having to comply, here is the letter of the law, straight from the horse’s mouth. A Business Associate needs to comply with 45 CFR 164.308, 164.310, 164.312 and 164.316.
- 164.308 – Administrative Safeguards
- 164.310 – Physical Safegaurds
- 164.312 – Technical Safegaurds
- 164.316 – Policies and procedures and documentation requirements
As you browse through these, you might find that you do a lot of this already, and if you don’t, a number of them are smart practices for any company, not just those who need to comply with HIPAA. And if you have any questions, reach out to a health care legal firm like Hooper Lundy & Bookman, P.C. Many of them are happy to have introductory conversations for no cost.
If you do need to comply, and have to start signing BAAs, keep in mind that by putting up with a bit of red tape, you’ll be helping to accelerate innovation in the digital health ecosystem. And as hundreds of entrepreneurs plug away at solving the countless problems in health care, this will ultimately benefit numerous people (and patients) across the country.
Stephen Phillips, Partner at Hooper Lundy & Bookman, P.C. (health-law.com), edited this post.