Most of us are familiar with HIPAA, the law that requires healthcare providers, insurance companies, health plans, etc., aka covered entities (CEs), to protect the privacy of patients’ health information. The law has been around since 1996. But last year the Department of Health and Human Services (HHS) made sweeping changes to HIPAA.
Under the Final Omnibus Rule, a new set of provisions have been laid out that strengthen the HIPAA Privacy, Security and Enforcement rules for protecting patient health information. Some of the updated HIPAA Privacy Rule applies to business associates (BAs), the companies that provide services to CEs, which typically involves handling patient information.
Previously a BA was only required to sign an agreement assuring that it would safeguard patient health information on behalf of a CE. But as of September 2013, both CEs and BAs became liable under the Omnibus Rule and are now subject to HIPAA audits which are about to ramp up. And the definition of BA has expanded to include organizations that merely store or transmit patient data, even if they don’t touch it. CEs and BAs in violation of patient privacy rules could face stiff penalties.
Meet Kate Schafer, founder of Innovative Healthcare IT. I met Kate at a recent Health 2.0 Silicon Valley Meetup. A room full of developers looked at the latest batch of mobile health apps designed to help us lead healthier lives. That’s the good news. But if they’re getting their hands on patient information and not following HIPAA rules in the process they may be shut down before they say “click on our icon.”
That’s where Kate comes in. She brings startups the trifecta of security technology, product development, and regulatory compliance with a focus on HIPAA, and advises them on building security and encryption layers into their platforms. I asked Kate to tell me what she does and why healthcare startups should care.
Tell me about your work and the services you provide to startups?
I have a long and varied background in technology and product development, combined with regulatory compliance and a focus on HIPPA. It’s that technical foundation that really resonates with potential clients and convinces them to work with me. There are numerous audit firms that can do what I do – most coming from the financial industry – but they don’t really provide healthcare startup support. I offer a “let’s roll up our sleeves and get it done” service where I work together with each client to craft a compliance strategy that works for their staff and for their budget. I can help healthcare startups get from prototype to industrial strength and scalable, and I make myself available for ad hoc questions any time a former client needs advice.
Companies come to me at various stages. A lot of my clients are just starting their first pilot. The product may have been developed offshore and they’re trying to bring it in-house. Or they may have just signed up a healthcare provider or a hospital for a pilot of the product, and their customer is asking for assurance of HIPAA compliance.
By law, healthcare providers must ensure that anyone who handles protected health information on their behalf (a business associate) complies with HIPAA before sharing any patient data with them, so non-compliance is a deal-breaker for these startups. That’s when they call me.
What is the primary sector of healthcare that your startup clients are creating solutions for?
There’s a range, but most recently the startups I’m seeing have a focus on the communications between providers and patients, particularly pre-op and post-op or at some other transition of care. For example, apps that focus on maintaining communications during recovery from surgery. The patient will go home with information they can access from their smartphone or tablet. These apps enable two-way communication, with metrics on rehab going back to the healthcare provider. Secure telemedicine enables real time feedback. Surveys and questionnaires provide feedback on the patient’s experience and can be fed into the product enhancement loop.
I’ve also got clients doing research and analytics on population health data and clients using mobile devices for healthcare decision-making. Those apps often also need to be FDA compliant. I also have clients from the VC community who are looking for an assessment of the security and/or compliance risk profile of a startup they’re considering investing in.
I don’t work with a lot of “quantified health” firms. Often people assume that quantified self apps (where an individual chooses to store their protected health information on their smartphone, for example) need to be HIPAA compliant but that is not the case. Healthcare providers must comply with HIPAA; individuals may do whatever they want with their personal health information. For some of these applications the patient is collecting information they might give to their doctor. But the doctors don’t always know what to do with it, may not trust it, or may not want it because they just don’t have the bandwidth to deal with it. This has created a new market for companies that can solve this problem with data aggregators and other solutions.
At what stage do healthcare startups typically bring you in for consulting?
When the startup is ready to recruit beta testers and pilot sites that’s where I come in. At that point if they haven’t already thought about security and HIPAA compliance, they are behind the 8-ball. At that point I can provide a range of services from a simple assessment of compliance gaps to a full remediation project that gets the startup fully compliant. I interview all the stakeholders and we talk about the big picture. I look at the technology stack, which refers to everything from the hardware up – all hardware and software components.
I look at all the security layers and identify where they could do better. On top of the pure security aspect, HIPAA requires documented policies that describe how each HIPAA requirement has been met. Most startups are far from having the volume of documentation required to meet HIPAA compliance.
What are the biggest challenges or obstacles facing your startup clients?
They are resource constrained and tend to focus on product development and getting pilots lined up, rather than security. They don’t have people on staff who understand compliance, so it gets handed off to somebody who’s already got a full plate. Getting compliant is a big job, and staying compliant is a lot of ongoing work. Without dedicated resources and support from the top, it’s a real challenge.
How do you see the gap between your clients’ innovative technology and adoption by providers and payers (if they’re targeting insurance companies too)?
There are different challenges. If you’re developing a product for use in hospitals it can be an uphill battle, particularly if the product needs to integrate with the hospital’s EHR. Hospital IT teams are necessarily risk averse and often not up to date on cutting edge technologies. They’re not entrepreneurial, so there can be a culture conflict. But it’s not rocket science to integrate with an EHR. I would say the challenges in working with hospitals are more bureaucratic than they are technical.
Working with clinics and smaller practices has its own challenges. These folks have tight budgets and no cushion. If your product doesn’t save time – or worse, takes time – it will be a tough sell. If implementation takes time away from providing care, it’s costing the practice money. Your product may improve care but if it makes a simple clinical step complicated and time-consuming it’s going to be a tough decision for them to adopt it. It’s very hard to justify a product that may provide huge long-term benefits if it cuts into today’s bottom line.
Image: Kate Schafer – provided by Kate Schafer