Is your digital health startup subject to HIPAA?
It's long and tedious and sometimes confusing, but the Health Insurance Portability and Accountability Act is more important than ever in the digital health, big data era.
As Stefano Quintini, an associate at Fenwick & West LLP, explains to Rock Health companies in this video, there are two factors that digital health companies must consider when deciding whether they’re subject to HIPAA: who is involved and what kind of information they’re collecting.
Protected health information (PHI) – a specific subset of personal identifying information (PII) that relates to a person’s health or condition – is subject to HIPAA when being handled by a covered entity (CE) or business associate.
A covered entity (CE) is an organization like a hospital, physician’s office or insurer, and a business associate is anyone who performs functions that involve protected health information on behalf of a covered entity.
If a digital health company creates, say, an app that collects data from individual users and aggregates it for physicians, HIPAA does not apply, because the information shared with the physicians is not PHI. Likewise, a medical adherence app that allows a consumer to track his medications is not subject to HIPAA, because although the app is collecting PHI, the consumer is not a covered entity. However, if that data were to be shared with a physician for medical care, the app would become subject to HIPAA.
So what does it mean to fall under HIPAA’s umbrella? A full reading of the implications of HIPAA is recommended (and can be found here). But, in summary, companies must follow the Privacy Rule and the Security Rule.
The Privacy Rule restricts a company from using PHI for purposes other than treatment, payment or healthcare operations unless given written authorization. Meanwhile, the Security Rule requires a company to conduct a risk analysis and implement administrative, physical or technical safeguards against a privacy breach.
Business associates must also comply with these rules and notify the covered entity in the case of a breach.
“There’s a lot of temptation when there’s data available, and there’s demand on one hand and supply on the other side that don’t meet one another, there’s a lot of temptation for companies to monetize,” Quintini says. “But what’s OK in other spaces might not be OK in the healthcare space.”