How I learned to stop worrying and love HIPAA
I can still fondly remember when I thought a HIPAA was the most dangerous animal in Africa. Then I learned it only has one ‘P’, which might as well stand for ‘paperwork’. Two years on, I see HIPAA as a well-crafted and pragmatic set of regulations that have helped us build up our data security and privacy approach. And though it’s my job to continue worrying, I now worry in a much more structured way.
We’re a software startup that helps people with sleep and mental health problems. We channel the best ideas and evidence from the psychological literature to provide help and advice.
Just as a pharmaceutical company runs extensive trials and amasses evidence, so do we. Just as pharma companies need to worry about the potential side-effects of their pills, we worry about the potential side-effects of data security breaches. On the one hand, cognitive behavioral therapy doesn’t cause headaches or diarrhea — on the other hand, little white pills don’t need operating system security patches.
The HIPAA regulations protect the security and privacy of health data in the US. We’ve spent a busy two years writing policies and upgrading our security to meet and exceed these requirements. In this set of guides, I’ll outline some of HIPAA’s core principles, and how to approach HIPAA compliance for other digital health startups. I’ll simplify, but provide a starting point.
Which data needs to be protected?
Firstly, you need to know which data are covered by HIPAA.
If there’s a payor involved (usually health insurance or a company health plan) or a health provider (a doctor’s office or hospital), the data collected is covered under HIPAA. Notably, this means that when selling directly to consumers, that data is not covered under HIPAA. [The ‘HI’ in HIPAA stands for ‘Health Insurance’.]
HIPAA focuses on Protected Health Information (PHI), that is, health data that’s identifiable. Mostly, the characteristics of identifiable information are obvious: if your data contain names, email addresses, phone numbers, bank accounts, SSNs, medical record numbers, then it’s identifiable. But even IP addresses, dates & times, URLs, photographs and biometric identifiers make it identifiable. So your webserver logs, profile information, message queues, error logs, and lots of other logs contain identifiable information. [Make sure to read about all 18 identifiers].
Note that if you can disconnect the identifying information from the health information, it‘s not PHI any more. So an EEG readout on its own is not PHI assuming it can’t be identified (though it’s probably not very useful either). In practice, you need your health information to be identified for it to be useful, which then needs to be protected.
Risk Assessment
Now that you know which of your data you need to protect, you need to run a Risk Assessment to determine your most dangerous risks. This is a deeply sensible idea.
Start by listing everything you’re worried about as a threat/vulnerability pair:
- the vulnerability is the avenue, i.e. the flaw/weakness that could be exercised;
- the threat is the agent.
For example:
- Risk = Password guessed. Vulnerability = Weak password set by user. Threat = Attacker.
- Risk = Unable to recover lost PHI in the event of a disaster. Vulnerability = Database backup corruption or failure. Threat = Environmental.
For each Risk, we assign it:
- a Probability Score (1=Low, 2=Medium, 3=High)
- a Criticality Score (1=Low, 2=Medium, 3=High).
- a compound Riskiness = Probability x Criticality
Then we rank by Riskiness, and define a Work Plan to mitigate each Risk, with an associated Timeline.
HIPAA is pragmatic and flexible. It doesn’t prescribe exactly how to go about the Risk Assessment — this is just the method we’ve found that’s the right balance of rigor and hassle for us. HIPAA doesn’t tell you exactly what the Risks are, or how to mitigate them. It leaves that up to you. This flexibility is both a blessing and a curse — it provides more room for interpretation, but means that the same legislation can be applicable all the way from a two-person startup to a $2b hospital.
I do still worry — but the Risk Assessment helps me structure and prioritize my worries.
This is the end of Part 1. In Part 2, we’ll discuss documentation.
You can follow our publication ‘We are Big Health’ on Medium.
Resources
- Finally, the Help Me With HIPAA Podcast provides a discursive, playful introduction to many of the issues that IT professionals should consider.
