Special thanks to Stephen Klein and Tanvir Panjwani from CommonGoodIT for spending an hour with an esteemed group of digital health entrepreneurs talking about the ins and outs of HIPAA security for their start-ups. It was a really fun, interesting, and engaging discussion. Here are a few things that stuck out for me.
1. Business Associate Agreements Down the Stack
We spent some time talking about the importance of getting BAA’s signed by all parties that could have theoretical access to the PHI (Protected Health Information) even including the cleaning service in your office. That got people’s radars up on how they would do that but Stephen made a good point which is if there are open computers in an office setting, there is vulnerability and it needs to be taken serious.
2. Map out your PHI Flow
Tanvir was very helpful in stressing the importance of mapping out your PHI flow as a critical part of the planning process to identify points of variability. All project should start with a process flow diagram and HIPAA is no different. This is inclusive of end point vulnerabilities like laptops to cloud storage, thumb drives and DVD’s. Encryption. Encryption.
3. Documentation is the Name of the Game
No one is perfect and there will be times when processes break down. The most important thing to do is document the issue and the remedy plan to avoid it in the future. This is a muscle to flex that gets stronger if you hold a standard of doing this with consistency.
4. PHI is PHI
One of the attendees stressed their observation that there are not gradients of more or less important PHI. PHI is PHI and needs to be protected, whether it is a name or a list of the prescription meds they are taking. Just because you’re a hot consumer health start-up, if you have PHI because of your relationships with a Covered Entity, you need to take precautions.
5. Setting up Systems Includes Training
As Stephen said, managing computer systems is a lot easier than managing people and it is often people that create the vulnerabilities. We are human after all. Therefore, training and documentation of training is critical and it needs to be updated with a level of frequency (meaning once and done doesn’t cut it).
When your organization has the discipline of how you safely and securely store PHI, it paints a different level of credibility in the eyes of your customers. When you understand (and show empathy) for the risks that your client faces, they appreciate you are working equally hard to protect them too.
So go forth and be HIPAA awesome. CommonGoodIT can provide you, at a fraction of the cost of bringing someone in-house, a HIPAA compliance and security foundation that will let you sleep very well at night. If you want to reach Stephen, you can do so at stephen@commongoodit.com.
At Stride, we wanted to bring this topic to the forefront because accounting, HR and IT are core pillars of the organizational backbone. Together, we deliver a very comprehensive, cost effective, and confidence building capability so that you can focus on changing the world. Let us help you get there. Reach out to us at (hello@stride.services) anytime to discuss how we can support you.