HIPAA for dummies

We sat down with attorney-turned-entrepreneur Chas Ballew to get his take on what HIPAA compliance means for digital health companies. Catch Chas at CES’ Summer Summit Health Innovator’s Bootcamp dropping knowledge on HIPAA and everything startups need to know about working with patient data.

What do healthcare startups need to know about HIPAA?
HIPAA is the federal regulatory scheme that protects the privacy and security of patient health data. Not every digital health startup is subject to it, but most are. And nearly all of the really interesting, high-impact data is regulated.

The most important thing for a startup is to make something people want, which likely means working with that high-impact data. Startups need to experiment and iterate to find out what works and what doesn’t, so access to data is key.

Emerging companies in healthcare need to be able to convince other entities to trust them with patient data. HIPAA liability is linked, like a chain. A security breach for a startup is a security breach for their upstream customers, like hospitals, physicians, and insurers. Sophisticated large entities (like Kaiser, Aetna, Mayo Clinic, etc.) are stringent about not exposing themselves to risk from startup partners who haven’t thought seriously about security, privacy, and compliance.

So HIPAA compliance is important for its own sake, but doing it fast and well can give startups a powerful competitive advantage in sales.

What do you wish was different about HIPAA?
I wish there was more guidance and more objective implementation standards for developers. The basic mandate of HIPAA’s Security Rule is to implement “reasonable and appropriate” measures to protect the security and privacy of patient information. Who decides what is “reasonable and appropriate?” Ultimately, the Office for Civil Rights. HHS has decided to keep the Security Rule subjective, in order to promote scalability and flexibility, but in reality it leads to ambiguity and confusion.

Here’s an example: HHS has issued guidance on encryption. Encryption implementation isn’t HHS’s strong suit, so their guidance relies on a NIST publication for implementation guidelines for SSL/TLS. That NIST publication was withdrawn in March of 2013 and was not replaced until more than a year later.

Why is that important? SSL/TLS is the “s” (meaning “secure”) in “https.” It’s how we verify the identity of other computers on the Internet. The Heartbleed vulnerability in the news recently was an exploit of a bug in a commonly used implementation of SSL/TLS. It’s a critically important piece of technology for the cloud, and unfortunately it is easy to mess up. It’s important to have good, relevant guidance on how to implement SSL/TLS correctly. We have that guidance now, but when Heartbleed was disclosed, we had nothing current. Similarly, there is no official guidance on whether we need to review historical logs for evidence of newly discovered vulnerabilities—or what constitutes acceptable application-level and system-level audit controls.

I worked in government and I know there are serious barriers to innovation and leadership, especially when you’re trying to lead in a field that moves as fast as technology. That said, I think we can do more to foster certainty and clarity for developers working in healthcare.

What are your predictions for digital health, security, and the regulatory environment over the next few years?
I drink the Kool-Aid. I believe Marc Andreessen when he says that software is eating the world. If incumbents don’t adapt, they’ll be eaten by newer, more agile companies that make clean, usable software in the cloud.

Healthcare today still looks a lot like healthcare 30 years ago. We are at an inflection point in digital health where healthcare delivery will look shockingly different in 5 years for many of us. Soon there will be people who have never seen rows of filing cabinets behind their doctor’s reception desk. Simultaneously we’ll see a corresponding increase in the frequency and severity of breaches, a massive increase in cloud security spending, and federal and state information security regulations expansion into  new areas, like educational records.

We need smart people working on our hardest problems. My goal is to make it easy for great developers to work in healthcare. I see that need continuing for a long time.

Chas is an attorney and CEO of Aptible, an application deployment platform that makes HIPAA compliance easy for developers. Get the details about patient privacy at CES’ Summer Summit Health Innovator’s Bootcamp during his HIPAA session for startups, covering everything software engineers need to know about working with patient data. See the full agenda on everything from open federal data to payment transformation here.