Maybe more so than any other industry, starting a business in the healthcare field is fraught with pitfalls that could put a serious obstacle in a healthcare company’s path. Handling and manipulating patient information in ways that can help physicians and other healthcare professionals more easily provide care is often the function of new healthcare startups. In fact, there’s no end to the amount of businesses that can succeed in the healthcare field if they can create a new and unique way of helping healthcare providers.
However, in dealing with patient medical information, otherwise known as protected health information (PHI), many startups don’t recognize the risks and corresponding safeties that must be observed to remain compliant. There are a few things to keep in mind when drawing up a business plan:
1) First, become aware of the ramifications of the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) and what this means for your business. Perusing the Health and Human Services website (HHS.gov) and familiarizing yourself with the articles there is a great start. The initial step for regulation compliance is to understand exactly what that entails.
2) Carefully and frequently audit internal company policies. Ensure the HIPAA hosting provider that is chosen takes the necessary steps to follow the HIPAA Security Rule. This includes things such as two-factor authentication and account access audits. Constantly keep employees aware of HIPAA and what a breach could mean for the organization. Auditing would entail actual testing to find out if the company’s agreed-upon policies are resulting in compliant activities. For example, making sure that sensitive documents that go into a box to be shredded actually make their way to the shredder and are shredded properly.
3) Plan for the worst case scenario. It’s always better to be prepared, and just like fire drills, breach drills are a good idea. Make sure the proper personnel are aware of who needs to be notified and how much time to allot. This includes Business Associates (BAs) and other individuals who are involved in the breach. Have exercise examples ready to familiarize employees with what would constitute a breach and notification requirements.
4) Remember that HIPAA compliance is not a one-stop event, it is a constant practice! Staying compliant and preventing a breach requires vigilance and constant retraining. New employees should be trained and made aware of the nature of HIPAA from the first day, and proper training should cater to each job function. Employees should not be overwhelmed or overburdened by HIPAA regulations, but rather made aware of how it will affect day to day operations. Each employee does not need to be an expert, but rather, try to foresee what areas of HIPAA a particular employee will need to be familiar with.
5) Consider hiring a Compliance Officer. HIPAA is a huge, complicated law with many caveats and potential ramifications. Nobody is expected to know it all, but making a mistake can be critically problematic for a large, well-established company, not to mention a startup operating on a shoestring budget. The Compliance Officer or HIPAA Specialist can be utilized as a great way to work out more manageable HIPAA action items. This role can help to work out what needs to be done now, what is ongoing, and what can wait until the time is right. Furthermore, this person can coordinate training, audits, and even a disaster-preparedness plan of exactly what to do if something were to go wrong.
All told, HIPAA is often overwhelming, but the healthcare industry is constantly growing and a great place to gain a foothold for a new business with a radical idea. To maximize chances of success with a healthcare startup, keep these tips in mind when dealing with HIPAA. With some planning, vigilance, and luck, opening a health care startup business can become much easier and less overwhelming for HIPAA Compliance.