When HIPAA was made law, there was no technological advancement in the health sector the likes of what we have today. There were no smartphones, no tablets and certainly zero cloud computing. Today, healthcare innovation is almost synonymous with computing technology breakthroughs.
Our healthcare has become so dependent on technology that if there were a loss of mobile connectivity, it would create a crisis. Not too long ago, the only other outage that threatened to distort the rhythm of healthcare institutions was a power outage. Times have truly changed. But the regulations have not been able to catch up with the pace at which technology is marching.
The biggest thing standing in the way of a digital health explosion that produces the results we’re hoping for is HIPAA compliance (second is probably healthcare data interoperability).
As a patient with a chronic illness, I would say that the vast majority of patients would gladly get rid of HIPAA if it meant more healthcare innovation. There’s a running joke where patients hope their data gets hacked by those that would try to figure out what’s wrong with them. But for now, this regulatory barrier exists so let’s talk about how to deal with it.
When an app is deemed to require HIPAA compliance, it skyrockets the price of backend infrastructure. At a minimum, you need HIPAA-compliant hosting, which includes heavier data encryption, security audits, a dedicated server, and separation of Protected Health Information (PHI) from the rest of your data, and other precautionary measures. On Amazon Web Services, last I checked, in order for them to sign a BAA (Business Associate Agreement) effectively a seal of approval stating your instance is HIPAA-complaint, starts out at $2000 per month.
HIPAA compliance drives up costs
When you’re talking about launching an MVP, $2000 a month just for hosting can be a complete dealbreaker when you’re looking at $20 / month on Digital Ocean right? For awhile, Truevault was really friendly to early-stage startups, allowing them to pay a fee for each transaction, but have since switched over to AWS-level pricing with a base plan of $2500 a month. In short, there’s no cheap way to have HIPAA compliance, so the first thing you should figure out is if your app requires it!
Does every health app need to be HIPAA compliant?
Fortunately, just because you’re a health app doesn’t mean that you need to adhere to HIPAA privacy and security laws. The true test is whether you will be sharing health info with a Covered Entity. A Covered Entity means anyone who provides treatment, payment, and operations in healthcare. These include doctor’s and dentist’s offices, psychologists, health plans, insurance companies, HMOs, and more.
When HIPAA technically doesn’t apply to you:
- You store health data on your website or app and you don’t share it with a covered entity, instead of Patient Health Information, what you’re dealing with is called Consumer Health Information. Alternatively, you do share it with a covered entity, and you fully de-identify it before sharing it. Note that there are caveats here: just because you don’t share the data with a covered entity, doesn’t mean the end-user won’t. You have to cover this edge case. Also, you really should put in additional safeguards for the data in case you get hacked. At minimum, put the patient data (those with personal identifiers) in an isolated database from the rest of the data.
- You store health metrics that aren’t considered health data, so they’re not considered PHI. For example: calories burned, steps taken, or distance covered. This is how the wearable companies all get away with it, but I imagine once hospitals are using wearable data the loophole will no longer exist. But just follow the lead of the big players — you won’t go down before they do.
If you do decide that you need a HIPAA-compliant backend, the names I’ve researched and found to be reputable are Truevault, AWS, Google Compute Engine (part of Google Cloud Platform), Aptible, and Catalyze. There are too many pros and cons to fit into this blog so I won’t do that.
The Best Solution is Less HIPAA
HIPAA was a law written during a time before digital health and EMRs were a reality. Get this: 68% of patients want their medical records and personal data to be more private, but 78% of patients who own wearables want their doctors to have access to health data from these devices. See the big disconnect? It’s largely because HIPAA has given patients the option of overprotection, and in an age where all the websites you use are selling your data, of course, you’re going to pick that option.
I also believe that if patients knew that HIPAA was getting in the way of research, they’d gladly toggle off some privacy. Perhaps patients think researchers aren’t doing enough to use their data, but one of the most common complaints I get from researchers is lack of pilot data, and direct access to patient-facing technologies would allow them to do pilot studies on the cheap and improve chances of getting larger follow-up grants. HIPAA is such a huge cost that app makers don’t have a good financial incentive to share it freely with researchers. Instead, they’re more likely to share it with payers like hospitals and insurance companies.
It’s time for the HIPAA law to meet patients and innovators halfway
Lawmakers need to realize that times have changed and the way health service delivery operates today is way different from what it was over two decades ago. If healthcare data sharing and management regulations remain the same, it will slow down the ability of the healthcare industry to meet the rising demand for lifesaving services. It can lead to missed opportunities to save more lives and have a healthier population.
A healthy population is a working population. A working population earns money and keeps the economy going. Even if many don’t realize, the backbone of our society is our very wellbeing. So someone better take a stand and start having the tough conversation on how the healthcare industry can embrace the digital revolution without sacrificing patient safety and privacy, as well as prevent innovation from stalling. Not a comfortable conversation, but it must be done.