Aakash Shah is a founder and the Chief Executive Officer of Wyndly. Wyndly is a modern medical practice that specializes in helping allergy sufferers achieve allergy-free lives. Their team of doctors work with patients to develop a personalized treatment plan offering long-term allergy relief through clinically-proven treatments, all from the comfort and convenience of your home. They've helped thousands of patients become allergy-free, and they participated in Y Combinator W21. He sat down with TeachMeHIPAA to discuss how to approach HIPAA when launching a healthcare company.
I strongly believe that the number one thing any founder can do is to iterate quickly. You have to iterate quickly if you ever want to find product/market fit. In healthcare, it's important to be aware of the laws and regulations. Though I see many first-time founders get caught up on HIPAA to their detriment. I actually believe there is a very simple way to address HIPAA when you're first starting out: avoid it where possible, and be upfront and explicit with customers and partners about the data protections you do (and do not) have in place.
Validate your idea and build trust without HIPAA.
Here's an example: let's say you have an idea that people want to access puppy therapy online to treat mental health. Like a good founder, you go to where your customers are and say, "Hey, I think I have something that can help you. Do you want to try it out?"
Instead of showing them an incredibly polished experience and representing that you're doing everything the absolute right way, be up front and say, "Look, this is something new. This is something we're launching. This is something I feel very passionate about, but we don't have super powered lawyers to take care of everything. I've done everything that is feasible to comply with HIPAA, even though we’re not obligated to comply as a puppy therapy company that doesn't take insurance, but I'm acting in good faith."
With this simple approach, you can legitimately go out and offer your product to people without making sure that you have an entire HIPAA compliance stack from the get go.
If this is the approach you want to take, here are three things to keep in mind:
- Grasp HIPAA rules and requirements early to avoid jeopardizing future compliance.
- Recognize and handle PHI appropriately to protect patients' sensitive information, as is expected of healthcare providers anyways.
- Train staff on data privacy and security from the beginning to establish a culture of data protection.
If you do these three things, you're building a culture which does right by the patient, regardless of HIPAA.Even if you’re not adopting HIPAA compliance from the outset, I recommend a high quality data privacy training solution from day 1 to establish best practices on your team. Check out the HIPAA training platform powered by TeachMeHIPAA