HIPAA Compliance And You: An Introduction

HIPAA or the Health Insurance Portability and Accountability Act is a piece of legislature crafted to help ensure the privacy of citizens of the United States. It ensures that protected health information (or PHI or ePHI, electronic PHI) which is defined as any health information that specifically ties it to an individual (such as doctor billing statements or drug prescription information), remains private and inaccessible by anyone without express permission of the patient. This boils down to essentially making sure patients and their authorized care providers can access their records, but no one else should be able to. A HIPAA fine can cost a company upwards of $50,000 and the damage to its reputation can be even worse, therefore companies should be prudent and take the necessary actions to be HIPAA compliant and be sure PHI is protected. Obeying HIPAA isn’t just a good idea; it’s the law.

While you may believe there’s no need for HIPAA compliance if you’re a tech company that helps produce smartwatches, or a small lab that occasionally deals with tissue cultures, you couldn’t be more wrong. Any data collected on a person that could be used or given to a doctor, such as something that monitors heart rate, a pedometer, or even a calorie-tracking app could potentially become PHI. (2) Sharing this data with a health professional transforms it into PHI and as such must be held to the same level of security as all other PHI. The problem is that many companies might not even have this on their mind as they develop their product. It can, for example, be a laboratory that has limited experience in the healthcare field that's just developed a new technique for detecting cancer, or a new method to test for infertility.

So, let’s consider that you are a lab that is just starting up, or perhaps you’re a little more established, but you have a new method of testing that you want to bring to a healthcare-related customer. You’ve probably looked a little into HIPAA and you’ve seen words such as encryption and de-identifying. You might be wondering what these words mean, and how it’s related to HIPAA, which is why we’re here; allow us to explain to you these concepts.

Encryption is a standard technique in electronic devices that turns useful information into nonsense, unless you have the encryption key. When a lab has encryption, they may believe that this is enough to be compliant with HIPAA law. Some labs might even believe if they have encrypted data with no decryption key, they don’t need to follow HIPAA laws. This couldn’t be farther from the truth; even having an encryption key but no decryption key doesn’t exempt you from the laws of HIPAA(1), and thus encryption alone isn’t enough to keep ePHI safe. There can be a lot of obstacles for labs in order to keep their software up to date on the latest safety laws. For some labs, this can be especially challenging, especially when you’re a start-up company with with a small software budget, essentially making it quite difficult to build your own HIPAA compliant solution. Given the amount of news that hacking and doxxing has gotten in media, fears of a breach to your customer’s private data are completely understandable.

What is de-identifying, and what does it have to do with HIPAA? De-identifying is removing the identifying features of a person from their health record (of which there are 18), and is commonly used when preparing a file for a case study. While de-identifying (removing all information that could be used to attach a particular person to a set of health information) can be used for some cloud services, this simply isn’t possible for all of them. There can be a need for labs to have some sort of identity attached to a sample, and this can simply be unavoidable.

It can be particularly difficult for any lab to come up with a way to meet HIPAA criteria, and many might seek out the mobility and ease of use of a cloud-based system. However, there are many rules to any system wishing to be cloud based (though it can be done, this will be discussed in a future article). Overall, there are 19 criteria to be fulfilled and 42 rules to be followed in total.

There’s a lot of technical discussion on what each of these criteria mean and how it works for each company. Therefore, we at QBench are happy to take these guidelines and distill it into understandable articles that should hopefully help you not only understand what HIPAA means, but also how your company can follow these guidelines, along with how the QBench cloud is HIPAA compliant.

In our next article, we’ll discuss the points of compliance to be properly HIPAA certified. We hope to see you then!