This article first appeared in mHealthNews on August 12, 2014. Click here to see the original version.


There has been a lot of talk in Congress recently about whether government security and privacy regulations are inhibiting innovation. In meetings held by the House & Energy Commerce Committee, some have cited HIPAA specifically as a reason why small businesses are failing to innovate and are, in essence, giving up.

For the most part, HIPAA regulations are simply a way to force businesses to follow sensible security and privacy practices. Of course, regulations are rarely perfect and can often overreach, but HIPAA does a reasonable job of staying clear of setting specific standards and often refers out to industry best practices such as NIST. Nevertheless, there are some who say they’re maintaining compliance just for the sake of keeping government bureaucrats happy.

Developing a robust information security posture for any business should be a priority, especially one that typically stores lots of sensitive data. This may include financial information, employee records, proprietary source code or technology trade secrets, not to mention any customer data they may have. All of this should be protected to a reasonable standard because, as history has shown, not everyone behaves responsibly.

Unfortunately, this underlying rationale seems to get lost in the debate over regulation. If you replaced the term “HIPAA” with “minimum security standard” in most of these debates, you’d see what I mean. Try making the argument that entrepreneurs are failing to innovate because of the burdens imposed by trying to maintain a “minimum security standard,” and suddenly it doesn’t sound so righteous. Most people would agree that a minimum security standard is the least an organization should achieve – even a startup.

On the other side, as I have written before, attempting to simply obtain HIPAA compliance without a view to implementing a more holistic information security framework can actually result in the organization becoming less secure overall. If a breach occurs, the lack of a holistic information security framework will leave you culpable regardless of how many HIPAA audits you may have passed. So beware of quick fix solutions that promise to get you “HIPAA compliant.” While better than nothing at all, they are by definition insufficient.

Taking all of this in to account, it is still too easy for businesses to simply ignore these regulations. Understandably, entrepreneurs are not necessarily experts in security compliance or privacy regulations, but many still claim to be compliant despite making little to no effort to be so. They pay lip service to the regulations because the chances of a healthcare startup being audited by the OCR are slim to none. While the OCR has announced they are conducting 1,200 audits over the next 24 months, there are nearly 800,000 healthcare companies in the U.S. That means companies have only a 0.15 percent chance of being randomly audited. And since most of the audits will be conducted on the larger institutions, it’s unlikely that many SMB health tech companies are losing sleep worrying about getting an OCR letter in the mail.

Indeed, the number one reason that new businesses seek help with compliance is to meet a standard set by a prospective customer, rather than from any fear of government enforcement. And even then, their objective is often to simply get over the bar imposed, however low or high it may be set.

The irony here is that the best time to start developing a security framework is when building the company, since it’s easier to implement standard best practices at the outset than to try and change mid-flow. If security is a part of the innovation rather than an add-on at a later time, it can actually be a competitive advantage. It’s like putting together a unit from IKEA without the directions, only to find extra nuts or bolts remaining. Then later, you find that the unit is wobbly. Now it requires additional items to strengthen it. This is the approach many organizations have taken: put it together quickly (innovation) and then frame-it-out (security) when needed. Starting at the beginning also helps ingrain security into the corporate culture, rather than being a change that has to be forced.

That is not to say that HIPAA does not need some work. While more providers and vendors are moving data to the cloud, the current regulations governing them were written long before such an option existed. While regulation invariably falls behind technological advances it catches up over time. Here’s an example of one such project to help improve the guidelines for health data stored in the cloud.

And entrepreneurs should be aware that HIPAA is not the only regulation they need to be aware of. The Federal Trade Commission (FTC) has started to issue enforcement actions in the healthcare domain, using an arcane antitrust law that prohibits “unfair or deceptive acts or practices in or affecting commerce” – essentially stating that companies have a duty to abide by a reasonable privacy policy and that a failure to abide by such is in effect a breach of fair trade practices.

In conclusion, it’s difficult to see how HIPAA can be blamed for stifling innovation, since for the most part it’s being ignored, along with implementing sensible and robust information security policies. But while start-ups seem to be getting a free pass for the moment, they should know that this is changing and greater regulatory enforcement is coming both from OCR and other regulatory agencies. And that far from being an impediment to innovation, they should embrace these changes, as they will help level the playing field for the many responsible companies who are already proactively investing in protecting their customers’ data.

Grant Elliott is the founder and CEO of Ostendio, a Virginia-based information security compliance company. Prior to founding Otsendio, he was the chief operations officer and chief information security officer at Voxiva, responsible for building the Text4baby and Text2quit mobile solutions. He also worked for AT&T, Concert Communications and British Telecom.