Since we are walking into a new technological era for healthcare, many technologies are being used in the health sector. Therefore Medtech startups are increasingly emerging and developing.

One of the critical assets that any Medtech startup relies on is the Health information collected from their users or patients.

When talking about personal information in general, there are specific laws and regulations implemented to ensure that they are protected as much as possible against the increasing number and variety of threats.

But what about the protection of health information in particular?

Considering this information’s delicate nature, Medtech startups must be regulated by laws that ensure the maximum coverage and protection of the sensitive patient information.

This article will address the Health Insurance Portability and Accountability Act (HIPAA). The United States legislation provides data privacy and security provisions for safeguarding medical information and its limitations, if any.


What is HIPAA?

The HIPAA was created in 1996 to improve the portability and accountability of health insurance coverage for employees between jobs, combat fraud and abuse in health insurance and healthcare delivery, and more.

Since its creation, HIPAA has been subject to changes to ensure the development of regulations that protect individual health information’s privacy and security.

In 2003, the HIPAA Privacy rule was created to establish national standards to protect individual health information. These standards give patients more control over their health information, set boundaries on the use and release of health records, and establish appropriate safeguards that health care providers and others must achieve to protect the privacy of health information, etc.

The Privacy rule also defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

According to HIPAA rules, covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers. These providers electronically transmit any health information connected with transactions for which HHS has adopted standards.

In 2005, the HIPAA Security rule came into force to establish national standards to protect individuals’ electronic personal health information (ePHI).

While HIPAA established the rules that health care entities were required to follow, it wasn’t until 2006, the date of creation of the Enforcement Rule, that penalties were defined for failures of compliance with the law. It also enabled the relevant authorities to investigate and bring criminal charges against companies not complying with HIPAA.

In 2009, The Health Information Technology for Economic and Clinical Health Act (HITECH) was created to motivate the implementation of electronic health records.

The Breach Notification Rule was created to require covered entities and their business associates to provide notification following a breach of unsecured PHI.

In 2013, the Final Omnibus Rule was added to fill gaps in existing HIPAA and HITECH regulations to specify, for example, the encryption standards that need to be applied.


Limitations of HIPAA

HIPAA regulation sets standards for the exchange of PHI between covered entities and business associates. A business associate is an organization hired by a covered entity that handles or contacts PHI in any way.

But what about entities outside the scope of covered entities defined in the HIPAA?

Nowadays, health information is being collected from consumers through mobile apps and platforms that are not required to be compliant with HIPAA. Consequently, the methods and ways of storing and sharing health information created many gaps in the law. They created a loophole that many people with malicious intentions can take advantage of.

With the HIPAA defining and limiting the entities subject to its rules, many entities outside the scope of the “covered entities” can acquire health information without being limited and governed by the regulations implemented in HIPAA and is considered as a downside for the law.

It is important to add that new HIPAA changes are expected to occur in the preceding year.