Why You Need to Prioritize HIPAA Compliance For Your Modern Data Infrastructure
If you handle customer health data in any capacity, your data infrastructure needs to be HIPAA compliant now — end of story. HIPAA compliance means obeying the many rules and criteria established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that dictate how businesses should handle patients’ protected health information or PHI. HIPAA compliance is important; in a survey of 140 healthcare leaders, just under 90% cited data security as an “Extremely” or “Very important” IT priority.
While many businesses see it as an afterthought or nice-to-have, HIPAA compliance isn’t optional if you care about maintaining your customers’ trust and, perhaps, more importantly, not breaking the law.
You Don’t Have a Choice: HIPAA Compliance Is the Law
You don’t get to choose whether HIPAA compliance matters to you; if you touch customer PHI at all, you have to be HIPAA compliant by law or risk committing HIPAA violations.
HIPAA violations often occur due to neglect and can be quite costly, with different penalty tiers depending on whether it was non-intentional or willful. You face up to a $50,000 fine per violation, with an automatic max fine imposed for willful neglect cases — where you know you’re doing it and continue to do it anyway. For example, say your business has 100 users and commits a HIPAA violation, knows about it, and chooses to do nothing. At $50,000 per violation and 100 violations, that’s a $5 million penalty you’d now face.
To date, as of Oct. 20, 2021, the Department of Health and Human Services’ Office for Civil Rights (OCR) has settled or imposed a civil money penalty in 101 HIPAA violation cases, resulting in a total dollar amount of $131,060,482. And in just 2020 alone, the OCR issued more penalties than any other year since they were given authority to enforce HIPAA compliance, collecting $13,554,900 to settle 19 cases. Depending on the size of your company and your appetite for risk, HIPAA violations could put you out of business.
You Have to Deliver What You Promise to Users
When you tell your users that you manage their data in a certain way, that’s the promise you make to your users. If that promise is that you take their PHI seriously, but then you don’t do so — that’s breaking their trust.
For customer-facing healthcare companies and consumer healthcare services like online pharmacies and telehealth or teletherapy providers — and all the B2B SaaS companies that service them — that’s a major concern. Many of our prospects and customers are part of this industry. These businesses will often say they’re HIPAA compliant in their terms of service and privacy policies, but when we actually look at their software stack and where they’re sending customer data, we’ll find non-HIPAA compliant vendors more frequently than we’d like.
HIPAA compliance has to be up and down the stack. Something many businesses aren’t aware of is that when you share data with vendors that aren’t HIPAA compliant, that still constitutes a HIPAA violation. Anything that touches customer data or receives any identifiable information — including analytics solutions, your data infrastructure, help desk, scheduling tools, etc. — must be HIPAA compliant.
If you want to deliver on your promise to your users, you have to ensure that HIPAA compliance lives throughout your entire tech stack.
Prioritize HIPAA Compliance If It Aligns with Your Company Values
Do you view your company as one that takes the utmost care with your users’ privacy and sensitive information? Or would you rather not in order to make a quick buck? Promising HIPAA compliance just for show and not ensuring it at all levels of your data infrastructure shatters your customers’ trust in you. In contrast, showing your customers that you’re HIPAA compliant and prioritize their privacy builds that trust up and can become a major selling point for your company.
And that’s exactly what we’ve done with Freshpaint. We’ve been researching HIPAA compliance since May 2020 and have become fully HIPAA compliant ourselves in January 2021. Before that, we did the same thing — transforming a non-compliant software product into a HIPAA compliant one — at Heap Analytics, so we understand what goes into the process, both the technical and human components.
Basically, everyone who might potentially touch sensitive data has to understand the laws and how to act appropriately. We’ve been working with our customers and prospects to help them become HIPAA compliant and making sure that their terms of service and internal tools align with HIPAA compliance. We put HIPAA compliance first because it aligns with what we believe in as a company — protecting our customers and their customers.
How to Become HIPAA Compliant Today
As of now, you can become HIPAA compliant with or without Freshpaint: you can switch vendors or upgrade to become HIPAA-compliant with existing ones, build your own HIPAA-compliant tools — or use Freshpaint, the only HIPAA-compliant CDP on the market right now, as the core customer data platform at the center of your tech stack.
You have several options for HIPAA compliance:
- Switch tools: You can switch to vendors that are HIPAA-compliant, but the migration and adoption of new tools can be difficult and often more expensive.
- Sign a BAA: You can have your vendors sign a Business Associate Agreement (BAA) with you. This contract allows you to share PHI with the vendor by satisfying HIPAA regulations and creating a bond of liability between you, providing protection in case of a breach.
Vendors often charge a lot of money for a BAA — most require you to upgrade a tier or include add-ons in your existing package, but it can be worth the investment. If you’re just starting out and you need to be HIPAA compliant today or in the future, only choose vendors that will sign BAAs with you, so you don’t have to switch your infrastructure out when the time comes.
- Develop in-house: You can build your own HIPAA-compliant solutions, which can be time-consuming and expensive.
Freshpaint offers an alternative solution: replace the CDP hub at the center of all your tools with one that’s HIPAA compliant. Many companies use a core CDP like Segment to collect customer data and then fan it out to third-party services for marketing, product analytics, and more, but Freshpaint is the only HIPAA-compliant CDP on the market right now. We’re fully HIPAA compliant: our product and everything that powers it is HIPAA compliant, including all sub-processors and vendors we use, like AWS and Snowflake.
By choosing Freshpaint, you don’t have to change your entire infrastructure; we’ll help you become HIPAA compliant with the tools you already use. We’ll also sign a BAA with you. By doing so, we reduce the footprint of where our customers send PHI regardless of whether those tools are HIPAA compliant or not. Why share PHI with two vendors when you can share it with just one without limiting any of your tools’ functionality?
Some features that help us accomplish this involve controlling transmission of PHI across your stack, both in the format that it gets sent and whether it gets sent at all. First, we can hash PHI through ID masking and send it to your third-party vendor — this meets the safe harbor criteria for PHI de-identification. Additionally, we can block out certain pieces of metadata that get sent through Events by whitelisting or auto-blocking PHI properties before transmitting them to third parties. For example, we’ll only send the practitioner and visit type (online vs. in-person) to non-HIPAA compliant platforms.
HIPAA Compliance Isn’t as Hard as You Think
Many companies, especially those in their early stages, assume that becoming HIPAA compliant is too hard to care about now — but HIPAA compliance is actually easy. Just choose a tool that’s HIPAA compliant from the ground up to manage your customer data.
Some tools, like Segment, are easy to use but are not HIPAA compliant. Freshpaint has the same set of APIs as Segment and 1:1 functionality in almost all cases. Switching off Segment to Freshpaint, a HIPAA-compliant vendor, is as easy as finding and replacing items in your codebase and takes about half an hour in most cases.
Don’t ignore the elephant in the room — become HIPAA compliant from day one. Start your free trial with Freshpaint today.