Why Healthcare is Hard: Privacy
Healthcare privacy typically only makes the headlines when something bad happens.
A great example is the recent lawsuit against Google and the University of Chicago Medical Center who are accused of not doing enough to de-identify data from patients’ medical records that was being access by a new tool being built to “create predictive models that could help prevent unplanned hospital readmissions, avoid costly complications and save lives.”
If a technology behemoth like Google can be caught off guard by privacy requirements, it highlights the importance for any company in healthcare to make privacy a core competency and understand how it impacts their business model.
Why Is Privacy Important?
From STDs to diabetes, there are a variety of conditions that are very personal. We all want the things that we share with our doctor in confidence to be treated privately and not broadcasted to the universe.
We have all had to sign release forms filled with legalese about privacy in the waiting room, which few people neither understand nor take the time to fully read. Those forms are required by Health Insurance Portability And Accountability Act (“HIPAA”) for good reason: to provide standards for security and data privacy with the goal of keeping your medical and health information safe and only shared with those you authorize. This is a very good thing for you and me as patients.
How Privacy Impacts Business Relationships
Companies must adhere to HIPAA’s guidelines closely (another good thing). Let’s say you have diabetes and want to use an app to track your blood glucose data. You may notice a check box with a link to “Terms of Service” that very few people read while signing up for the app. Checking that box often provides the technology company permission to access your data and should also state that they will do their best to keep your information safe and only share it with people or companies that you authorize.
The American Medical Association and the American College of Obstetricians and Gynecologists have called out new regulations proposed by the Department of Health and Human Services to ensure that the limitations on how health providers and payers can use and share medical records also applies to consumer apps.
If your physician adopts technology that requires access your Protected Health Information (“PHI”) from your Electronic Health Record, your doctor will require that technology company to sign another legal document called a Business Associate Agreement (“BAA”) to ensure that they will protect your information and to agree on what would happen if there were to be a security breach.
“Privacy in healthcare is like an obnoxious older brother who annoys the sh*t out of you most of the time but is there to protect you if someone else tries to mess with you.”
- Actual quote from a practicing physician
This Sounds Like a Great Opportunity To Make My Attorney Rich!
Yes, there can be a lot of lawyering. One of the reasons it is tough to bootstrap a healthcare startup are the legal costs that a company must incur to understand how privacy applies to the nuisances of their business, especially if your company is trying to sell to large organizations like payers, pharma companies or large health systems. You could easily spend thousands of dollars on legal fees just negotiating privacy terms, which are typically separate from business term negotiations (what they are going to pay for your service).
Hope Is Not a Strategy
Due to the time and legal costs, it has been not uncommon for me to hear from other startup leaders over the years that they just signed their customer’s BAA documents “as is,” without having an attorney review them. They often shrugged their shoulders, saying they hoped it would not bite them in the tail down the road. Depending upon what obligations were buried in the BAA, one security hiccup could then crater most of these businesses because they did not have the right protections.
Privacy requirements are not going away, nor will they get any easier in the future. Because of the rise in healthcare data breaches, many groups are asking for even more stringent requirements than HIPAA’s standards.
How Privacy Impacts Digital Health Implementation & Outcomes
Let’s assume you make it past the legal hurdles and move into the implementation of your product. Many companies learn early on that they are limited in their ability to use your personal health data in ways they may have hoped, which often impacts their ability to deliver the desired outcome.
For example, many companies in the chronic disease arena take responsibility for driving recruitment and enrollment of their product. These companies will run multi-channel campaigns leveraging phone calls, email, mail, texts, etc. to make you aware of their program that is being sponsored (paid for) by your physician, insurance company or employer.
Let’s say your payer is launching a new Diabetes Prevention Program (DPP) focused on helping at risk members lose weight. People often qualify for these DPPs based on their weight or body mass index (BMI). With the exception of a letter in a sealed envelope, they often cannot mention that you “qualify” for a diabetes prevention program in any of those messages with the rationale being that someone else could see it.
Weight and BMI can be very personal, so it is good that your spouse won’t see a postcard and have an excuse to bring up that bag of chips you slaughtered while watching the big game the night before. BUT, how likely would you be to respond to any generic wellness message (phone call, postcard, text message, etc.) if it is not personal to you?
I recently worked with a startup focused on engagement that was coming into healthcare from the education space. After meeting with a prospective customer’s attorneys, they questioned their ability to drive the same results in healthcare when they were forced to “water down” their messages to meet the customer’s privacy requirements. Herein lies a big challenge that many healthcare startup companies face in trying to scale while also trying to tackle big problems, like reducing obesity or improving diabetes.
Treating Privacy As An Asset
All of this should be enough to make your head spin and hopefully does not scare away would-be healthcare entrepreneurs. Privacy in healthcare is very important to us as patients, which is why protections, like HIPAA, are in place. Having a firm understanding of privacy and security (again, its own topic) within your company can become a huge asset that will help you avoid landmines and save on legal fees in the long run, while also giving you more credibility in the eyes of large prospective customers.
Strategy For Approaching Privacy
For early stage companies or entrepreneurs thinking about dipping their toes in the healthcare waters, it is important to start by answering a few key questions:
- What Personal Health Information you will need to access in order for your business model to be successful (if any)?
- How do the privacy restrictions impact the assumptions baked into your data or business model? Can you mitigate them and still deliver on your desired outcomes?
- Who will you need to partner with (payers, health systems, etc.) to get access to the right data (if anyone)?
- What legal review (cost) will be required for your business model to be successful and scalable? How much can your attorney teach your team?
Pro Tip: Keep a running log of your most frequently negotiated privacy terms and create a Privacy Playbook for your team to know which terms you can give on and which are not negotiable. In addition to making your team better educated, your playbook will save you time and attorney fees over time. At a prior company, our team built up the playbook to be able to handle as much as 80% of privacy terms in an agreement, leaving only the most complex issues for someone with a law degree. Don’t know where to start? Start with the redlines from the last five BAAs your team (or attorney) negotiated.
If you have made it this far, the importance of making privacy a core competency should hopefully be pretty clear. The examples above really just scratch the surface of this topic.
What privacy obstacles has your company overcome?
