The past two years has seen an explosion of medical apps written by newcomers to the medical space. The range of products and services offered ranges from simple patient tracking applications to sophisticated medical devices. As a CTO I’m often called upon to give advice to startups that want to understand the regulations and “red tape”.
I usually begin with the clarification that laws such as HIPAA or HITECH are not red-tape. They are the best efforts of the legislature to protect your privacy while balancing social good from population health initiatives. Before these laws existed it was legal, albeit unethical, for someone working in a hospital to surf through medical records and tell their friends about your medical history.
To give a contrasting opinion, Evan Schuman published a piece in Venture Beat entitled “Health App Developers face their greatest obstacle, privacy regulations” that claims HIPAA is just too hard for the world of 2015.
These apps have the potential to advance health care, especially in parts of the world where quality care is distant. But they first have to overcome a huge obstacle. In addition to the funding challenges and routine tech hurdles that every startup must clear, healthcare apps have to wrestle with 19-year-old federal HIPAA guidelines, which often frustrate developers, who see the rules as impractical in the mobile world of 2015.
So are HIPAA and HITECH really that hard to comply with? They certainly can be, but probably not when you’re a startup. In short, if you pick your battles and address the big ticket items you’ll have time to get to the rest.
Here’s my shortlist of “musts” that I’d address before I launched – you can decide if they are onerous.
- If you plan to store data on the device or anywhere else you should encrypt it. There is no hard and fast requirement for the type of encryption so use something recent.
- If you are sending data over a computer network use TLS or an equivalent. You’re probably doing that already so what’s the big deal?
- Look at the passwords you are issuing and make sure best practices access controls are in place. Use a complexity scheme, have passwords timeout, implement lockout on repeated incorrect passwords, and so forth. Don’t rely on the fingerprint sensor on the phone unless you can make it meet these controls.
- Conduct a risk assessment. This isn’t hard. List the assets you have and work out the risks to each of them. For example, I have my central database server in a data center. Hmm … what could go wrong and how might I mitigate that?
- Put an audit trail in place that lists who looked at a piece of health data, when they looked at it, and what the reason for that access was. This is basically just a secure database table. You do need to keep it for quite a long time so be sure it’s somewhere safe.
- Get someone to review security and access logs on a periodic basis so you can detect inappropriate use.
- Have a written procedure for sanctions to use when people violate the rules. This usually means a written warning on first offense, followed by termination on a second offense. It’s got to have teeth.
- Make sure all the commercial entities you work who store or handle health data on your behalf are implementing similar controls. This is often done through the use of business associates agreements (a.k.a BAAs).
Now, I am by no means saying this is a comprehensive list of what HIPAA requires, and I am emphatically not saying that if you do just this stuff you’ll pass an audit. However, you have to start somewhere and a small company just doesn’t have the resources to do everything up front.
I hope this helps at least one startup to get climb out of the nest.