The biggest thing standing in the way of a digital health explosion that produces the results we’re hoping for is HIPAA compliance (second is probably healthcare data interoperability).
As a patient with a chronic illness, I would say that the vast majority of patients would gladly get rid of HIPAA if it meant more healthcare innovation. There’s a running joke where patients hope their data gets hacked by those that would try to figure out what’s wrong with them. But for now this regulatory barrier exists so let’s talk about how to deal with it.
When an app is deemed to require HIPAA compliance, it skyrockets the price of backend infrastructure. At a minimum, you need HIPAA-compliant hosting, which includes heavier data encryption, security audits, a dedicated server, and separation of Protected Health Information (PHI) from the rest of your data, and other precautionary measures. On Amazon Web Services, last I checked, in order for them to sign a BAA (Business Associate Agreement) effectively a seal of approval stating your instance is HIPAA-complaint, starts out at $2000 per month.
When you’re talking about launching an MVP, $2000 a month just for hosting can be a complete dealbreaker, when you’re looking at $20 / month on digitalocean right? For awhile, truevault was really friendly to early-stage startups, allowing them to pay a fee for each transaction, but have since switched over to AWS-level pricing with a base plan of $2500 a month. In short, there’s no cheap way to have HIPAA compliance, so the first thing you should figure out is if your app requires it!
Fortunately, just because you’re a health app doesn’t mean that you need to HIPAA compliant. The true test is whether you will be sharing health info with a Covered Entity. A Covered Entity is anyone who provides treatment, payment and operations in healthcare. These include doctor’s and dentist’s offices, psychologists, health plans, insurance companies, HMOs, and more.
When HIPAA technically doesn’t apply to you:
- You store health data on your website or app and you don’t share it with a covered entity, instead of PHI, what you’re dealing with is called Consumer Health Information. Alternatively, you do share it with a covered entity, and you fully de-identify it before sharing. Note that there are caveats here: just because you don’t share the data with a covered entity, doesn’t mean the end user won’t. You have to cover this edge case. Also, you really should put in additional safeguards for the data in case you get hacked. At minimum, put the personal identifiers in an isolated database from the rest of the data.
- You store health metrics that aren’t considered health data, so they’re not considered PHI. For example: calories burned, steps taken, or distance covered. This is how the wearable companies all get away with it, but I imagine once hospitals are using wearable data the loophole will no longer exist. But just follow the lead of the big players — you won’t go down before they do.
If you do decide that you need a HIPAA-compliant backend, the names I’ve researched and found to be reputable are Truevault, AWS, Google Compute Engine (part of Google Cloud Platform), Aptible, and Catalyze. There are too many pros and cons to fit into this blog so I won’t do that.
The Best Solution is Less HIPAA
HIPAA was a law written during a time before digital health and EMRs were reality. Get this: 68% of patients want their data to be more private, but 78% of patients who own wearables want their doctors to have access to health data from these devices. See the big disconnect? It’s largely because HIPAA has given patients the option of overprotection, and in an age where all the websites you use are selling your data, of course you’re going to pick that option.
I also believe that if patients knew that HIPAA were getting in the way of research, they’d gladly toggle off some privacy. Perhaps patients think researchers aren’t doing enough to use their data, but one of the most common complaints I get from researchers is lack of pilot data, and direct access to patient-facing technologies would allow them to do pilot studies on the cheap and improve chances of getting larger follow-up grants. HIPAA is such a huge cost that app makers don’t have a good financial incentive to share it freely with researchers. Instead they’re more likely to share it with payers like hospitals and insurance companies.
It’s time for the HIPAA law to meet patients and innovators halfway.