HIPAA, GDPR, CCPA Compliance for Telemedicine Start-ups

Non-compliance is very expensive. Organizations are stepping on thin ice when it comes to building applications that process Protected Health Information (PHI). There is a lot of overhead associated with building and implementing HIPAA-compliant systems. Understanding legal nuances and their technical implications is a mountain to climb. The risk of non-compliance with regulations is simply too high.
Since the HIPAA Enforcement Act, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been able to fine organizations that fail to implement the controls protecting healthcare data and the privacy of patients. Fines of up to $1.5 million can be issued for HIPAA violations, with that number multiplied by the number of years each violation has been allowed to persist. (HIPAA Journal)
The actual costs of HIPAA compliance are estimated at close to $8.3 billion a year, with each physician on average spending $35,000 annually for health information technology upkeep. (Medical Economics)

HIPAA is not the only regulation to consider when building applications. GDPR and the recently enforced California Consumer Privacy Act (CCPA) have vast implications across any personally identifiable information (PII). This creates a high barrier of entry for smaller organizations that process their consumers’ information.

The cost of GDPR is high: while 80 percent of those in a micro company (1-9 employees) expect GDPR compliance to cost their business under $50,000, 92 percent of those working at an enterprise (over 1,000 employees) expect GDPR compliance to cost their business over $50,000. (Help Net Security)

Under GDPR, fines for organizations that breach the rules can reach up to 20 million Euros (about $21.8 million), or up to 4% of a company group’s annual global turnover, whichever is higher. Even lesser infringements can cost a company 10 million Euros or 2% annual global turnover. (Compliance Week)

Encryption is a crucial element of privacy regulations. However, implementing cryptographic algorithms is time-consuming and many organizations do so properly. Smaller organizations have difficulties adapting to HIPAA-compliance quickly. Lawyers and audit companies charge a lot for guidelines to fulfill HIPAA-compliance. The technical team is left to introduce incremental changes that cost time and resources. Many organizations first build then try to adjust their systems to GDPR, HIPAA, CCPA compliance. Building from scratch while trying to comply with privacy regulations requires time and investment in technical and legal knowledge. SylLab API removes the burden of costly encryption and compliance adoption. The API provides not only highly usable data encryption but also a clear audit trail down to the level of a file’s lifecycle including PHI (Protected Healthcare Information). Encryption and auditing are important elements of HIPAA-compliance. SylLab Audit provides a very detailed overview of events associated with individual files and users. The data visualization provided by SylLab helps to understand the audit trail better. Our clients can monitor any suspicious activity and produce audit reports. Processing unencrypted and non-auditable PHI such as medical record numbers, e-mail addresses, and any unique identifiable numbers might turn out to be very costly. Amid the COVID-19 outbreak, there has been a significant surge in cyber-attacks. Telemedicine start-ups have a higher barrier to entry struggling to launch products that are secure and comply with privacy regulations. SylLab API is highly usable encryption and compliance tool that aims to lower this barrier and save time, money, and resources for emerging organizations.

1. Help Net Security
(https://www.helpnetsecurity.com/2018/04/13/gdpr-compliance-costs/)
2. HIPPA Journal
https://www.hipaajournal.com/
3. Compliance Week
https://www.complianceweek.com/data-privacy/study-expects-gdpr-fines-to-rise-in-2020/28325.article
4. Medical Economics
https://www.medicaleconomics.com/view/hipaa-what-cost