HIPAA Basics for Health Tech – Breach Notification Rule

The average cost of a data breach for U.S. health care companies is $6.45 million (or $429 per individual record), surpassing the global all-industry average. The Breach Notification Rule in HIPAA lays out specific criteria for what can legally be considered a breach, what organizations should do if a breach occurs, and what data holders can be held liable for after a breach happens. 

While the Breach Notification Rule applies to covered entities, business associates, and other business associate-type companies that fall under HIPAA, the steps to address breaches in this Rule can be considered best practices for any company holding protected health information (PHI).

If your business experiences a breach, you must notify affected individuals, the HHS Secretary, and, in certain situations, even the media.  This Rule defines breach as any unauthorized use or sharing of protected health information (PHI) that jeopardizes the security and privacy of a person’s information. This includes information that has been compromised, lost, or stolen as a result of unauthorized access by an employee, a third party, a ransomware attack, or other improper disclosures.

The Rule encourages businesses to utilize certain preventive encryption and destruction techniques on all their devices and software. The rationale is that taking these precautions should render any compromised PHI either unreadable or unusable by an unauthorized person. 

It is important to remember that HIPAA is not the only source of law that health tech companies need to comply with. The data privacy landscape is complex and changing constantly. For example, there are applicable federal rules from HHS on interoperability and information blocking practices and from the Federal Trade Commission on consumer protection. Further, every state has its own statutes which specify additional (or more stringent) compliance standards and procedures.

Unsure what your business needs to do to limit your potential liability around handling patient data? Elevation’s data privacy experts are ready to help your company navigate current and emerging data privacy requirements, identify areas of liability and institute safeguards to limit your exposure. 


HIPAA Basics for Health Tech – Security Rule

From a practical standpoint, the Security Rule is probably the most relevant section of HIPAA for health tech companies. The Security Rule operationalizes much of the Privacy Rule by setting standards for the security of the technology used to access, store, transmit, or process protected health information (PHI).

One of the most important things to understand about the Security Rule is that while it sets standards that must be met by CEs or health tech companies that qualify as BAs, it’s not overly prescriptive on how these standards must be met. Therefore, complying with the Security Rule is more of an exercise in reasonable risk mitigation than adhering to a checklist of specific practices and protocols.

The Security Rule outlines “required” and “addressable” specifications for administrative, technical, and physical safeguards, as well as for organizational and documentation purposes. 

For example, there are four required administrative specifications:

  1. Risk analysis
  2. Risk management
  3. Sanction policy-
  4. Information system activity review.

Under this Rule companies are required to assess vulnerabilities and potential risks in their PHI-handling practices. Once established, they must implement protocols to mitigate these risks (such as sanctions against employees who violate the protocols). CEs and BAs must also have the technological capability to review employee activity while accessing PHI on the company’s various data platforms.

CEs and BAs may approach “addressable” specifications in whatever ways make the most sense for their business. For these choices it is vitally important that companies document the reasoning behind them.

Some general best practices to conform to the Security Rule’s addressable specifications include:

  • Limiting PHI collection, usage, and retention to only what is essential for successful business operations.
  • Aggregating data wherever possible to meet business goals and avoid HIPAA violations.
  • Periodically reviewing and updating security measures and documentation in response to environmental and operational changes that affect security of PHI.

Because portions of the Security Rule are open to interpretation, many health technology companies need to know what their unique situation requires to comply with HIPAA and avoid legal fines and penalties. Reach out to Elevation today—we have the expertise to confidently help your business navigate this regulatory landscape!


HIPAA Basics for Health Tech – Privacy Rule

HIPAA is the cornerstone of safely sharing health data in the U.S. Policy experts love to point out that the “P” in HIPAA stands for Portability not Privacy. The idea is that data portability cannot be realized without creating a safe data sharing environment. HIPAA’s main two rules—the Privacy Rule and the Security Rule—lay out the security and protection standards around protected health information (PHI). In this blog, we’ll cover the basics of the Privacy Rule and what it means for health tech companies.

The Privacy Rule is essentially the cornerstone section of HIPAA. It lays out the permitted uses and disclosures of PHI that Covered Entities (CEs), such as hospitals and providers, may make without additional authorization from patients. Generally, a CE is permitted (but not required) to use and disclose PHI without an individual’s authorization for the following purposes or situations:

  • Treatment, Payment, and healthcare Operations (commonly referred to as the “TPO”  Exception)
  • Certain public interest and benefit activities, including:
    • When required by law
    • Public health activities (e.g. reporting certain communicable diseases such as TB to public health authorities)
    • Victims of abuse, neglect, or domestic violence
    • Health oversight activities
    • Judicial and administrative proceedings
    • Law enforcement
    • Research (under certain conditions)
    • Preventing or lessening a serious threat to health or safety
    • Essential government functions
    • Workers compensation

The Privacy Rule also details what is known as the Minimum Necessary Rule, which determines that CEs must make a “reasonable” effort to disclose only the minimum necessary PHI required to achieve their purpose.   

Today, health tech companies that fall under the HIPAA umbrella are called “business associates (BAs)” and must comply with HIPAA rules in order to avoid serious financial and legal repercussions and remain in business. The Elevation team can help your company navigate your responsibilities as a BA when handling PHI.  In addition, we offer engaging and effective HIPAA courses that train health technology company staff to recognize PHI and keep it safe. 

Stay tuned for our next blog, where we will break down the Security Rule and offer some best practices around the Security Rule for health tech companies. 


HIPAA Basics for Health Tech – Protected Health Information

The global COVID-19 pandemic has driven health care more into the virtual world at an unprecedented and historic pace, and the need to protect digital health data is now more pressing than ever.  Does HIPAA provide the coverage to protect all health data currently being exchanged? The quick answer is no. However, understanding what HIPAA includes as “Protected Health Information (PHI)” is a fundamental concept for health tech leaders to grasp.  HIPAA ONLY applies to PHI—not any other kind of information.

PHI is any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity. It can only be shared to provide health care services or secure payment for health care services. PHI can be in any form, including physical records, electronic records (often referred to as ePHI), or spoken information.

It’s important to note that PHI must be a combination of a personal identifier with some health information (anything about a person’s past, current, and future health such as diagnoses, health care coverage, payment for medical services, lab results, etc.). There are discrete categories of information that qualify as personal identifiers:

  • Names
  • Dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  • Telephone/fax numbers
  • Geographic data/address
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (e.g. retinal scan, fingerprints)
  • Any unique identifying number or code

Under HIPAA, if health information is stripped of all identifiers that can tie the information back to an individual, it ceases to be PHI and the HIPAA rules no longer apply. However, the landscape is evolving to protect data beyond what is covered under HIPAA. Be aware of the new class of data protections that have already been passed in California and Virginia. For a full audit of data protect laws that affect your health tech, reach out to the Elevation Team


HIPAA Basics for Health Tech – Introduction

If your company collects, stores, or exchanges health data, it is crucial that you understand the Health Insurance Portability and Accountability Act (HIPAA). HIPAA can be an intimidating topic but is fundamental to safely handling health data.  Over this blog series, we will break down and demystify important HIPAA terms that will equip you to better understand important data privacy concepts vital to successfully deploying your health technology.

Was HIPAA put in place to protect electronic data?

HIPAA was originally written and enacted in the mid-1990s. Even then—when the internet was in its infancy and before smart phones and broadband paved the way for the more diverse and sophisticated health tech landscape that exits today—it was clear that national standards were needed to protect and secure individuals’ personal health information regardless of whether it was in paper or electronic format. However, HIPAA does not cover every piece of information that organizations collect, store, or exchange. HIPAA only applies to what is called Protected Health Information (PHI). (which we will explain further in our next blog)

What does “national standard” really mean? HIPAA is a federal law that sets a minimum standard for all 50 states. Some states also have complementary laws which create additional obligations and responsibilities for certain businesses and providers. Elevation can help you navigate the rules that apply specifically to your health tech platform.

So, who does HIPAA apply to?

HIPAA applies to three comprehensive categories of businesses and organizations, as follows:

  • First, “Covered Entities” (CEs)—this category includes a broad range of direct health care providers (e.g., health care professionals, hospitals, clinics, etc.), as well as health insurance companies and health information clearinghouses.
  • Second, “Business Associates” (BAs)—this category includes most tech vendors that create, receive, maintain, or transmit personal health information on behalf of CEs, or from other vendors (e.g., claims processing or administration, data analysis, quality assurance, billing, benefit management; practice management, etc.).
    • BAs are required to enter into what is called a “Business Associate Agreement” with the CEs/BAs they are sharing personal health information with. The Agreement is a contract that defines how PHI will be used and protected by the BA, as well as the consequences for any breaches or violations.
  • Finally, HIPAA also applies to companies that did not sign a BA agreement but otherwise meet the BA definition because they collect PHI from health care professionals, hospitals, health insurance companies, vendors, or other similar BAs/CEs.

In the coming blogs, we will breakdown what PHI includes, unlock the fundamental parts of HIPAA, and present important HIPAA compliance tips. Reach out to us if you or your organization need further HIPAA training or compliance help. 


Virginia Leads U.S. Closer to National Consumer Data Laws

Last month Virginia joined California as the second U.S. state to enact comprehensive data privacy legislation—the Virginia Consumer Data Protection Act (CDPA). States are moving towards uniformity around privacy laws beyond HIPAA—mimicking Europe’s General Data Protection Regulation (GDPR). U.S.-based health tech companies should be preparing for the likelihood that we will see a similar national consumer data privacy law.  It’s not a question of “if” but rather “when.” Federal data privacy bills introduced in Congress this year and are gaining more momentum than ever before. 

“Privacy by design” approaches—where Health Tech companies anticipate early and incorporate thorough consumer rights and business obligations into their product and business model—will be key in becoming a market leader. Proactive efforts to align with these emerging privacy landscapes will save your company money and resources down the road, and help you avoid the onerous and expensive task of retrofitting later on.  These laws are complex, so work with experts at Elevation if you do not have a regulatory team in house or if your in-house team is spread thin.  To understand the direction of U.S. privacy laws, which are being lead currently through state-based efforts, start with state regulations in California and Virginia.  Below is an overview of the rights and obligations seen in both the California and Virginia privacy laws.

California Virginia
Consumer Rights
Access personal information
Correct personal information
Delete personal information
Data portability
Opt-out of the sale of personal information
Right against solely automated decision-making
Opt-in to processing of “sensitive data”
Prohibition on discrimination against a consumer for exercising a right
Private right of action
Appeals process
Business Obligations
Strict opt-ins for sale of personal information for consumers under a certain age
16 Years Old
13 Years old
Notice/transparency requirements
Mandated risk assessment
Data minimization
Purpose limitation
Processing limitation
Third party sale notification
Security requirements
Fiduciary Duty

GDPR —The EU Law that Affects US Health Tech

When should American Health Tech companies conform to non–US laws?

When your business collects data from individuals outside of the US: In the case of the General Data Protection Regulation (GDPR), which has been protecting European citizens since 2018, US companies must comply with GDPR if they potentially collect and store personal information about citizens in Europe. The penalties are hefty, especially since fines are multiplied for each individual affected.

When business partnerships are affected by international legal principles: In the health care sector, lucrative and long–term business partnerships depend on intentionality of how data is collected, stored, and shared. Data interoperability, coupled with appropriate data protection, will be the foundation for successful business development conversation—especially when scaling beyond regional deals.

When similar laws are on the horizon to be passed the US: The recent proposed update to HIPAA along with multiple GDPR-type laws at the state level provide a strong indication that the US is moving toward federal data protection laws that mirror Europe’s GDPR.

GDPR-type laws stress “privacy by design,” a concept requiring businesses to display intentionality around the data they collect, the method of collection, and the security of their storage. Intentionality is a principle, especially around regulatory alignment, that could save the Health Tech industry billions each year as opposed to being reactive and retroactively fitting everything a few years down the line.

At its core, GDPR bestows eight basic rights on European citizens, which in turn creates obligations on behalf of the businesses they interact with:

Basic Right Description of Individual Right Business Obligation It Imposes
Right to access Individuals have the right to request access to their personal data and to ask how their data is used by the business after it has been gathered Business must provide a copy of the personal data free of charge (and in electronic format, if requested)
Right to be forgotten Individuals have the right to withdraw their consent from a business to use their personal data Business must delete all of the individual’s personal data
Right to data portability Individuals have a right to transfer their data from one service provider to another Business must provide the data in a commonly used and machine readable format
Right to be informed Individuals have a right to know if their data is going to be gathered, and what data will be gathered, as well as a default right to opt in Business must get explicit and freely given opt-in consent from individual prior to data collection
Right to have information corrected Individuals have a right to have their data updated if it is out of date, incomplete, or incorrect If an individual requests such an update, the business must comply
Right to restrict processing Individuals can request that their data is not used for processing Business can collect and store the individual’s data, but cannot use it for other purposes
Right to object Individuals have a right to stop the processing of their data for direct marketing Business must make this right clear to individuals in all communications and must stop processing the individual’s data as soon as the request is received
Right to be notified Individuals have a right to be informed if there has been a data breach which compromises their personal data Business must provide this notice within 72 hours of first having become aware of the breach

Have questions about what all this means for your specific health tech business and consumers? Reach out to us — we’d love to help!


HIPAA is Changing – Good News for Health Tech

HIPAA has been a brick wall for data access for health companies. Legitimate? Yes, we always want to protect health data. But we also want to use the data to improve care at the request of the patient. In December 2020, the federal government proposed several updates to HIPAA to encourage better data sharing between health care providers and health tech companies that “empower patients, improve coordinated care, and reduce regulatory burdens.” Here are the quick take-aways:

  • We have to start with a reminder that any updates to HIPAA will require your company to revise your policies and legal language, including: your Notices of Privacy Practices, relevant operational processes, and effected Business Associate agreements.  Don’t forget to retrain your staff too!
  • Once you have these administrative tasks out of the way, treatment providers will no longer have to obtain signatures from patients acknowledging they have been provided a copy of the provider’s Notice of Privacy Practices. They will have more freedom to disclose and discuss PHI with your company to improve patient care coordination and health outcomes.
  • If you provide auxiliary support or support community-based organizations offering auxiliary support to patients such as transportation, food or housing services that improve health outcomes, the requirements around data sharing with health care providers may be incrementally removed through modernized HIPAA, Interoperability, and Information Blocking rules.
  • Keep in mind that this is a proposed rule released under the Trump Administration.  However, with the ONC Information Blocking Rule going into effect this spring, Biden’s team will have to remedy data access policy discrepancies quickly. So look out for a possible final rule in 2021.

In 2018, the EU implemented a law called the General Data Protection Regulation (GDPR) that protects all data collected on a person. The reality of increased care coordination efforts and payment programs beyond the provider space will likely accelerate us towards needing a national-level GDPR-type law to cover health data appropriately – stay tuned for more from Elevation on this topic!


Top Regulatory Changes for the 2021 Health Tech Landscape

As health tech companies solidify their budgets and agendas amidst the continued pandemic, they should consider these prominent health regulatory changes expected in 2021:

  1. HIPAA is getting a major update. The federal government released a HIPAA proposed rule allowing individuals to obtain their records from electronic health systems for free and electronically share their data across their providers. This is good news for ensuring more coordinated care. However, for providers and companies supporting providers, this will likely require major revisions of current HIPAA policy statements and partnership contracts.

  2. Health data will need to be shared in an interoperable way. Enforcement date for the federal government 2020 twin regulations around data interoperability and information blocking will begin early in 2021. This means that if you are a provider, an entity supporting providers, or a company collecting and sharing health data, you will need to make sure your data platform design and business practices adhere to data, privacy, and sharing requirements.

  3. Telehealth and remote patient monitoring is here to stay…but say goodbye to certain provisions. During this global pandemic, the government, as our nation’s biggest insurer, agreed to pay for many health services to be provided remotely for the first time. This new remote-type care has been hailed a success from all involved – individuals, providers, and payers. However, as people get vaccinated and begin venturing out again, support of certain services that have better efficacy in-person will no longer be covered remotely.

  4. Value-based care payments may leap forward. The newly minted Democratic Congress and Biden in the White House may mean a push toward enhancing Biden’s agenda to expand insurance access for individuals. Cost and transparency will be front and center. Health tech companies providing insight in improving care while decreasing health care spending will be key players.

In the coming weeks, we’ll be providing deeper insights on these topics to help health tech companies navigate 2021.


EHR Integration for Virtual Care: (Part 1) – Basic Lingo

Many virtual care platforms claim to be EHR integrated.  But often, there are many versions of this truth.  As many provider groups are currently looking for telehealth solutions that are EHR integrated, we wanted to provide some clarity around the fundamental elements that define EHR integration.

First, keep in mind that integrating to a single EHR system requires a combination of business agreements and technical capabilities.  Both the owners of the EHR system, the EHR vendor and the connecting application must agree on what data is accessed, when, how and by whom.  This is a cumbersome business partnership process.  Repeating this process for the plethora of EHR solutions is not realistic.  As a result, it is important to ask “what EHRs are you currently integrated with?”…because a single virtual care platform certainly will not be integrated to all EHR systems.

Next, it’s important to understand the nature of the integration.  Not all integrations are created equal.  Basic levels of integration can simply be EHR data scrapes from the previous day that are sent to virtual care system.  This may be limiting to providers seeing more acute patients that need more frequent management.  The other option is real-time data access that allows access to data on either side as it is entered.  Terms like “future release” and “on our roadmap” are not guarantees and depending on the relationship with the EHR vendor, application providers may have limited data control.  References of other customers’ user experiences, who are similar in size and specialty, are important to review.

Last, the direction of the data flow from application to EHR system is another important factor defining the extent of EHR integration.  Here are the three types and how that may affect a physician’s workflow:

  • Uni-directional: Here data flows from application to the EHR as directed by the EHR vendor and must be verified by the EHR vendor before becoming part of the record.  This may cause delays in data access for providers needing data more quickly.

  • Bi-directional: Here data within the virtual care system and the EHR communicate in a way that allows providers to interact with a single system without the need for duplicating information entry.  This helps with faster diagnosing and lower prescribing errors.  However, this option is technically more cumbersome to maintain and may cost more.

  • API-Based: Here data flows similar to how a website works, with no permanent connections. It has the benefits of bi-directional data flow with easier sign-on and maintenance – which equals lower cost.  API-based solutions are new but are becoming more standard,  especially after the new data interoperability laws passed earlier this year.  But try to look for FHIR-based API solutions as they are becoming the standard in the healthcare industry.

The key to integration is to make the solution be as frictionless for the provider to use as it would be to see a typical patient in person. The richer the integration, the more likely the providers are going to use it.  At the same time, we should not let perfection prevent progress and start with a pragmatic approach to ensure that the solution will receive buy-in.

Our next blog will discuss EHR integration further by highlighting the top workflow areas where EHR integration is key. Stay tuned!