What is HIPAA Compliance?
HIPAA: The Health Insurance Portability Accountability Act. HIPAA is a regulation created by the Department of Health and Human Services that governs how all health data is protected, whether that be digital health data, physical health data, or health information. At its core, HIPAA emphasizes that the ultimate owner of health information is the patient.
Enforcement of HIPAA
HIPAA is empowered both on the federal and state level to audit organizations to make sure they’re complying with everything HIPAA declares about the safety and ownership of the data by the patient. HIPAA was first instituted in the 1990’s, but organizational audits only started in the last 15 years. HIPAA was revised with the HITECH act which encouraged much more auditing and legislation surrounding topics such as breaches of data. When people violate HIPAA to any level of scale, that information is public. If you visit hhs.gov you are able to see which companies and individuals have violated HIPAA, which can help when selecting new medical professionals.
Digital health organizations who are building solutions for the healthcare industry and the patients within them must realize that in order to protect the commitments that these healthcare enterprises make to the legislators around protecting the patients, all of their management of data have to be in line with those same expectations. Most importantly, it is a US regulation. Many people and companies in Canada talk about HIPAA compliance, however, it doesn’t actually apply in Canada. If you build with the intention of meeting the objective of HIPAA, then you’re at a well understood, well-documented, and very specific standard for security.
Compliance vs. Certification
Digital health companies that sell or partner with healthcare enterprises, or sell to consumers, may be giving the data to other entities on those consumer’s behalf. These organizations have to be compliant from the perspective of that being the requirements as a covered entity: HIPAA compliance is what must be followed, however HIPAA certification is not something that actually exists. There is no certification for HIPAA. There are certain proxies where some covered entities will require you to have a certification that isn’t administered by the health care organizations or the government.
However, if you have those certifications, an expert has most likely checked that you have everything needed to be a HIPAA complying organization. Typically, that can include SOC 2 compliance, which is a financial accounting system that isolates HIPAA. Many hospitals require a SOC 2 certification for any digital health company at a reasonable level of scale. A high trust is a private organization that’s been created by major players in the US insurance industry who wanted to make it easier for them to check HIPAA compliance of the organizations they work with.