HIPAA in a PRISM World
I spend a significant amount of my time as CTO of RxAssurance working with our partners to insure that patient information, commonly referred to as Protected Health Information (or PHI), will never be exposed to anyone other than the individual and the care providers that they have granted consent to. We deal with all types of healthcare executives: the pragmatic, the optimistic, those who wear large tin foil hats and those who are attached at the hip to their legal counsel when it comes to HIPAA.
HIPAA is scary. Not so much because of the bar for securing information that the mandate sets, but for the penalties it levies when a violation occurs. What most don’t know is that the majority of violations have had nothing to do with actual networks and software. Most violations come as a result of misplaced or stolen storage devices, mishandled paperwork and careless front desk processes.
Regardless of the lack of a signature online breach, the burden still remains on us service providers to continuously prove ourselves when it comes to securing patient/provider data. Having worked in this environment for a decade, I can navigate the waters of HIPAA with little difficulty. Despite my proficiency at building compliant solutions, it still remains the biggest stress to our’s and other’s engineering teams.
Knowing what I know, I have to ask: Isn’t a government who can freely spy on its own citizens, yet enforces a declaration that PHI must be protected at every corner, actively practicing hypocrisy.
If the NSA can tap freely into all internet communications, this means PHI that is not on an internal network, disconnected from the public internet that we all use everyday, can be intercepted even if we, as technology providers, take every possible precaution to protect it. Hello tin foil hats, here’s your kerosene.
Many of my colleagues and I are squarely in the camp that believe that technology can and must be used to shift the healthcare model into greater sustainability. Healthcare costs are not sustainable. There is no magic bullet solution for what ails the industry. Dozens of solutions, mostly in technology, are needed to offset waste in healthcare. My current venture, RxAssurance, directly addresses medication adherence, which on its own represents more than $200 billion in potential annual savings.
With the technology shift, platforms to share and pass data between services and providers are essential. This necessary change cannot happen without an industry willing to break out from behind an internal network. The revelations about the NSA’s secret surveillance program PRISM do nothing to help us with moving the healthcare industry in the right direction. If anything, recent developments have brought back to the surface many concerns that we have worked for years to quell.
When it comes to PRISM, there are a litany of issues that the US government will have to answer. We in emerging healthcare technologies hope that the clarity we all demand on PRISM will eventually lead to greater clarity for HIPAA as well.
It’s amazing how much further you can get from a potential investor, especially VCs, if you approach them asking for input. Of course, given their position as rainmakers in the startup world, they are constantly showered with requests to talk. Those talks are often about how great the entrepreneur’s business is and why the investor should give them money.
Of course it’s easy to see how going into that talk looking for feedback first is a refreshing change of pace. More importantly, by asking for input first, you are showing the investor that you are interested more in the value they bring to the company outside of the capital.
I know personally, I’d rather invest in the entrepreneur who is looking to maximize the value of every relationship, understanding that money is the oxygen necessary to run the race, but winning comes down to the strategy of choosing the right pace at the right time. I also want to be in an investor pool that adds value, not one that just writes a check.