Data Management Regulations: HIPAA
Startup founders fall into a range of categories based on their business models; some are creating apps for entertainment, some are building companies in the retail sector, some are focused on providing software services, and some are creating products and projects that are completely new in the world and don’t fit any particular category just yet.
But if your company handles customer data—which means client data or data belonging to that client’s individual customers—data management regulations will certainly apply to your operations model. The GDPR (if your customers are European) will affect you, and compliance gaps can lead to fines and penalties. SOC 2 data standards will also apply, and gaps in this case can deter enterprise clients from signing on with you. In addition to these, you’ll need to factor HIPAA (the Health Information Privacy and Accountability Act, administered by the Department of Health and Human Services) into your plans as well.
You may think HIPAA regulations have nothing to do with you if you don’t provide healthcare services, but HIPAA should be on your radar if you deal with any clients who do handle PHI (protected health information), and you’ll need to maintain compliance if you provide or intend to provide group health insurance to your employees. In both cases your status as a “business associate” means you’re covered by the law, and compliance problems can bring headaches and expenses you might not expect.
But what if we only store the data and don’t do anything with it?
A “conduit” provision applies to some entities (like the post office) who simply hold data (PHI) temporarily before passing it along to its destination. But if you store or manage this information, you’re accountable for security against data breaches, gaps, and misuse.
What if our client data is encrypted and we don’t have a decryption key?
That doesn’t matter. You may provide cloud computing services to clients who use encrypted data that you can’t access, but if you manage, store or protect any form of PHI, HIPAA applies to you.
Should we conduct an internal audit of our HIPAA compliance even if we might not be accountable under the law?
Not necessarily. First, determine if you’re considered a business associate or covered entity. There’s no need to worry about HIPAA if you’re not. Next, determine if you plan to sign future contracts that would place you under the umbrella of compliance (for example, if you intend to offer cloud based data management service to covered clients). If either of these apply to you, or to your future goals, team up with your legal counsel and develop a plan.