Demonstrating HIPAA compliance is a challenge for many digital heath companies. In fact, smaller digital health companies often struggle to meet even the basic requirements of the HIPAA Privacy, Security and Breach notification rules. Fortunately, Amazon Web Services and MS Azure, both of which offer Business Associate Agreements, provide the ability to physically protect production data in a simple manner. And with services like Datica, even the smallest startup can now provide a minimally acceptable physical security requirement.
The bigger problem remains: Many digital healthcare startups believe that using one of these services along with annual training is all that is needed to be HIPAA compliant. Given the claims many infrastructure providers continue to make, that’s not surprising. But digital health companies must be careful. Meeting even HIPAA’s most basic requirements needs much more. So what should you consider?
The Rise of HITRUST Certifications
I’m admittedly surprised at the number of startups I hear talking about plans to become HITRUST certified. HITRUST, increasingly popular as the compliance standard used by major healthcare organizations, is a significantly higher lift than meeting the basic HIPAA requirements. So is HITRUST certification a realistic aspiration for a digital health startup?
My advice for any company is to learn to walk before you run. While HITRUST certification will certainly improve your security posture, for a very young organization this may be like taking your SATs while you are still in elementary school.
That said, no matter the size – or age – of your digital health company, you need a strong HIPAA-based information security and compliance program. How you implement and maintain that program makes the difference between a successful audit, by OCR or any regulatory organization, or an unsuccessful one. HITRUST requires a level of compliance above and beyond HIPAA and HITECH, and this may well be overkill for the average smaller startup, both from a budget and business operations standpoint.
Preparing for the HITRUST Journey
It may be that your clients require HITRUST certification. If that’s the case, get organized before starting. Gathering the correct evidence for a HITRUST audit means developing, documenting and managing an information security, risk and compliance program. This is something you are probably doing already. In review:
- Put policies and procedures in place
- Train staff regularly
- Manage and track compliance documentation
- Conduct security risk assessment and audits
- Manage and track assets
- Gather evidence of above to prepare for your HITRUST certification
To complete the HITRUST certification process you must use the HITRUST proprietary myCSF application. The HITRUST assessors use myCSF to upload and cross-reference documents for review. Optimally, your current compliance management system helps you efficiently manage your compliance program activities and workflow, necessary for any regulatory audit or risk assessment. For HITRUST, that can help simplify the process of quickly getting assessors what they need such as training records, policy sign-offs and data audit records.
Digital health startups, check your budget, take a deep breath, and decide. Granted, if you’re working with major health plans such as United Healthcare or Anthem, you may not have a choice. HITRUST certification may be a condition of doing business with them. The path to HITRUST Certification begins with HIPAA and HITECH compliance. Mandate or choice, the starting point is the same.
For details on the HITRUST security framework, download our whitepaper.
Ostendio helps healthcare companies and medical device manufacturers improve security, reduce risk and demonstrate compliance through its cloud-based security platform, MyVCM. Visit us at https://www.ostendio.com