647-622-2644    |    Login

HomeAre You HIPAA Compliant?UncategorizedAre You HIPAA Compliant?

Are You HIPAA Compliant?

Visit the website of any health sector startup or scale-up company, and you’ll often see claims of HIPAA compliance. For businesses in healthcare, it’s the gold standard for privacy and security of health information and a critical factor in marketing health IT products in the U.S. But how many companies are truly HIPAA compliant? But are you truly HIPAA compliant, and what does it take to reach this lofty objective?

Understanding HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, was designed to modernize the health insurance sector and drive the integration of IT into healthcare practices. With the 2009 HITECH Act, HIPAA’s scope expanded to encourage the adoption of health IT while introducing stricter privacy and security measures, including Breach Notification and Enforcement Rules.

Who Needs to Comply with HIPAA?

HIPAA applies to two main groups:

  1. Covered Entities: Healthcare providers, health plans, and healthcare clearinghouses.
  2. Business Associates: Vendors or contractors managing Protected Health Information (PHI) on behalf of Covered Entities.

For startups in healthcare technology, being a Business Associate means signing Business Associate Agreements (BAAs) with Covered Entities and subcontractors who handle PHI, establishing accountability at every level.

Key Components of HIPAA Compliance

  1. Privacy Rule: Defines national standards for the use, disclosure, and protection of PHI, primarily targeting Covered Entities but also extends to Business Associates through BAAs.
  2. Security Rule: Focuses on safeguarding electronic PHI (ePHI) with administrative, physical, and technical safeguards applicable to both Covered Entities and Business Associates.
  3. Breach Notification Rule: Requires prompt notification of affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media, following a PHI breach.
  4. Enforcement Rule: Enhanced by the HITECH Act, this rule strengthens compliance enforcement and increases penalties for violations.

Are You Really HIPAA Compliant? From our experience working with startups and scale-ups, most executives answer “yes” when asked if they are fully HIPAA compliant. Many mistakenly believe using a HIPAA-compliant cloud service provider is enough. While such providers help meet some technical and physical requirements, startups remain responsible for critical administrative safeguards like:

  • Establishing policies and procedures
  • Conducting risk assessments
  • Performing regular audits and monitoring
  • Ensuring application-level security (e.g., access controls)

Cloud providers generally offer limited support for obligations under the HIPAA Privacy Rule as outlined in BAAs.

The Certification Misconception

Unlike ISO or SOC 2, there’s no formal certification for HIPAA compliance. Some frameworks, such as HITRUST, integrate HIPAA into their assessments, but claims of compliance from small businesses are often based on self-attestations, which can be subjective and inconsistent.

Why Compliance Matters

For Canadian companies selling to the U.S. healthcare market, HIPAA compliance isn’t just a regulatory requirement—it’s a competitive differentiator. True compliance:

  • Reduces privacy and security risks
  • Builds trust with customers and partners
  • Ensures PHI accessibility for essential healthcare purposes

Beyond Checkboxes: Real Compliance

Achieving HIPAA compliance requires more than a checklist approach. It’s about creating robust systems and processes that protect PHI while supporting your business objectives. Partnering with experts and adopting frameworks that align with HIPAA’s requirements can set your organization on the path to genuine compliance.

Are you ready to take the next step toward protecting PHI and demonstrating your commitment to privacy and security? Start by evaluating your current safeguards and addressing gaps in your administrative, technical, and physical controls.

Authors:

Patrick Lo, CEO, Privacy Horizon Inc.

Brendan Seaton, Principal, eHealthRisk Group