HIPAA is Not a Mud-Covered River Animal

HIPAA is Not a Mud-Covered River Animal

Garrett McAnulla

The rigors of starting a biotech company are many, and range from the mundane to the scientific. The comparatively recent notion of “biotechnology” itself — manipulation of nature at the nanoscale to produce breakthrough drug treatments — makes for a business venture that uniquely intermingles mind-opening wonder and stomach-clenching risk.

At its core, a biotech startup needs a stupendously marvelous idea (no pressure). But the start-up’s brilliant raison d’etre — that painstakingly developed, humanity-saving pill — must also meet a clear and broadly acknowledged public need, one shared by a large enough swath of humanity that the prospective market for the product compels investors to kick the tires and climb aboard.

The biotech stats can be sobering. Some 90% of successfully developed drugs — those companies whose babies actually make the long trek to daylight — do not receive the FDA’s blessing — or approval as it’s officially known. Under the best of circumstances, it can take years or decades for the R & D in the lab to manifest as a money-maker in the medicinal marketplace. In the meantime you’ll be stepping carefully through a minefield; protecting your intellectual property, navigating a bewildering regulatory environment, and maintaining a brain surgeon’s unblinking focus despite the competition’s constant yapping at your heels. Good luck with that last one. Biotech is a business venture the faint-hearted are advised to avoid. In the biotech startup realm, every climb has to reach the summit; all else is failure. Significantly, failure itself is a recoverable condition, whereas fear of failure is a chronic cause of self-sabotage in the high-wire act that is a biotech startup. As has been noted, though, true innovation takes flight where the innovators are willing to fail.

The Small Big Deal

There is one biotech startup component where failure is literally not an option.

In the storm of To-Do’s associated with launching a biotech, one absolutely crucial detail can go undetected, or its importance dangerously underestimated and pushed aside for later consideration. We’re talking about medical privacy and HIPAA. HIPAA  the Health Insurance Portability and Accountability Act of 1996, is an enforceable federal statute whose sole aim is to ensure the privacy of individually identifiable health information as it exists in databases and other instances of electronically stored personal data.

The ironclad confidentiality between you and your physician is one manifestation of HIPAA, and we can all be grateful that medical confidentiality is as legally sacrosanct as it is. But HIPAA’s airtight privacy mandate requires an extra layer of careful deliberation for the biotech startup whose database houses private health data. A fully HIPAA-compliant database is absolutely essential to protect the biotech startup from a ruinous, legally actionable, breach of its individually identifiable data. What exactly is a HIPAA-compliant database?

HIPAA — also known as the Kennedy–Kassebaum Act — was created and signed into law in 1996, when it became clear that electronic patient record-keeping would be the future standard. The ephemeral, paperless nature of electronic records needed a statutory and enforcement framework to compel the same degree of privacy and confidentiality such personal records had always enjoyed.

Information Age Diligence

Today’s biotech startup is arguably burdened by the informational free-flow that defines today’s ecosystem of electronic communications and storage. The biotech’s founders and stakeholders need to fully understand just how delicate and explosively litigious the issue of medical privacy is, and the scale of the responsibility being assumed. Mobile devices, laptops, servers — bad players are constantly evolving ways to defeat the most sophisticated cyber defenses and steal protected information. The fledgling biotech company needs to take very seriously the danger of a breach that exposes private medical information, and do everything they can to prevent it.

The sanctity of individually identifiable data needs to be unanimously understood by the biotech’s relevant stakeholders — those chosen few who work with the private data in question — and a constant degree of diligence maintained. In the event of a breach, the buck truly stops with the biotech. Common and visible incursions — like malware hiding in a legitimate-looking email communication — must also be defended against by an office and lab environment of acute user vigilance. Vendors should likewise be vetted and trained and made to understand the gravity of HIPAA privacy compliance.

Perhaps most importantly, the biotech startup needs to take concrete steps to limit in-house private data access to only those individuals who absolutely need to work with the private data. Even in an environment of innate trust and deeply shared purpose, the concern isn’t malfeasance or deliberate wrongdoing, but a widening — and weakened — circle of access to sensitive personal data. The broader the access, the greater the exposure. Less is much more in the world of the HIPAA-compliant database.

Within that subset of company users who must work with individually identifiable health records, a database with a highly articulated permissions structure — ideally one based on the Principle of Least Privilege — will have as its default an absolute bare minimum of access, with persona-specific privileges widening only incrementally. Such databases may be produced in a no-code or low-code model, and in a customizable design format that further enables the biotech to tailor the database to its unique processes and security concerns.

It’s fair to say that a biotech startup originates not with starry-eyed dreams of a financial windfall — but with an altruistic desire to address suffering. A biotech is unique for being an intrinsically people-centered mission, however numerous the moving parts, or exhausting the sweat equity required to reach the goal. How much more important, then, that we move mountains to protect those individuals whose deeply private contributions are key to the project’s ultimate success, and to the health and happiness of its beneficiaries?