When working with a startup with a technology in the healthcare space, attorneys should be aware that there are new rules and regulations that can have a major impact on how the product should be built and sold to customers.

The HITECH Act revises the definition of a “business associate” so as to require a company to follow HIPAA regulations if it “creates, receives, maintains, or transmits Protected Health Information (PHI), or “maintains” PHI on behalf of a covered entity (hospital/other providers), or if it is any subcontractor of that entity who will have access to PHI.

Steps to Mitigate Risk:

One way to help your client avoid HIPAA liability is to simply de-identify all health information.  This is of course one method to make PHI unusable, unreadable, or indecipherable to unauthorized individuals, and once PHI has been de-identified in accordance with the HIPAA Privacy Rule, it is no longer PHI and, therefore, no longer subject to the HIPAA Privacy and Security Rules.  The Standard for De-Identification is § 164.514(a).  Health information that does not identify an individual, and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual, is not individually identifiable health information.  There are two ways to ensure that health information has been de-identified, one using an expert determination under 164.514(b)(1) and one through satisfying the requirements of the Safe Harbor enumerated under §164.514(b)(2).  In the startup world, cost of an expert determination makes the Safe Harbor the better option if de-identification is a possibility at all.  Of course with many profile-based software, de-identification may become a serious hurdle to overcome in software design.  Consulting your clients about the benefits of building the technology without such identifying information would of course ease the requirements of complying with HIPAA requirements.

Another way to mitigate potential HIPAA liability is to follow the HIPAA encryption guidelines.  As rulemaking following the HITECH act iterates, “While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by §13402 in the event of a breach.”

Encryption works to make PHI unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

If the Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’ and such confidential process or key that might enable decryption has not been breached. Certain encryption processes have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.


Understanding how HIPAA privacy regulations may now apply to startup clients entering the healthcare IT software space is essential to limit your client’s potential liability.  One option to deal with this risk is to suggest complete de-identification of information through the satisfaction of the Safe Harbor requirements or through an expert determination. The other option is to point your client to the functional encryption safe harbors as tested by the National Institute of Standards and Technology.  Furthermore, the earlier along in the process clients become aware of these requirements, and how they can mitigate risk, the more easily clients may be able to adjust the design of their technology to ease the burden of compliance.