Until this summer, a significant subset of U.S.-based healthcare entrepreneurs were unable to legally use one of the most fundamental, integral, and efficiency-boosting development tools out there: Amazon Web Services (AWS).
That’s because any healthcare startup that electronically transmits an individuals’ health information needs to comply with a set of laws from the Health Insurance Portability and Accountability Act (HIPAA). These laws, enacted in 1996, require that certain health information be protected by a set of privacy procedures and security safeguards for electronic transfer.
The trouble was that Amazon Web Services was unwilling to abide by the set of procedures needed to engage with companies that a required to be HIPAA compliant. There is a common contract called a Business Associate Agreement (BAA) that goes along with HIPAA compliance, and Amazon wouldn’t touch it.
But it’s not just Amazon. The same reluctance was true of so many other vendors and services that health care entrepreneurs are so eager to use (like HubScout, Survey Monkey, and BugSnag, to name a few). Over the last few years, as the technical and operational bits and pieces of a startup have been increasingly outsourced to efficiency-creating vendors, the digital health sector has been disadvantaged.
But today, September 23rd, 2013, a refresh on HIPAA officially goes live by way of a new piece of legislation called the HITECH Act. Among other things, like encouraging electronic medical record adoption, the new HITECH rules radically expand the definition of who needs to comply with a subset of the HIPAA rules. This changes the game, and because of it, many of the tools that have been off limits for certain health care entrepreneurs will now be fully accessible.
You see, there is a nuance in the HITECH rule: Let’s say you’re a vendor and the last thing on earth you want is to have protected health information anywhere near your service. You’d think that excuses you from becoming compliant, but it doesn’t. After the HITECH rule, if any customer sends this information through a vendor (whether they endorse it or not), and the vendor’s servers store this information, they’re subject to the HIPAA Security Rule. There is no mitigation of liability for an entity that refuses to enter into the requisite agreements that govern this relationship (again, called a BAA). In fact, a failure to enter these agreements becomes a violation on its own.
Amazon sufficiently prepared for this moment, and as of June 18th, 2013, AWS started signing BAAs.