Expanding into the US is a dream for many Australian startups. While there are many benefits to entering this market, you should also be aware of the laws that may affect the industry you are entering. For example, the US health insurance industry is governed in a different manner to what we are used to in Australia. These industries are subject to a number of laws aimed to protect confidential information – whether it be health or defence information. One key piece of legislation is the Health Insurance Portability and Accountability Act 1996 (HIPAA).
What is the Health Insurance Portability and Accountability Act?
The Health Insurance Portability and Accountability Act 1996 is a US federal law that sets out the safeguarding of protected health information such as medical records. If you are an Australian startup providing, or looking to provide, software to clients in the US then you should be aware of the Health Insurance Portability and Accountability Act 1996 (HIPAA). Similar in some respects to Australia’s Privacy Act 1988 (Cth), the HIPAA legislation goes a couple of steps further and places a more onerous burden on a company that handles or holds sensitive information (e.g. health information).
A company handling sensitive information (known in the US as Protected Health Information) must adhere to a number of rules under the HIPAA in order for it to be compliant. These rules cover factors such as physical access, technical access and administrative procedures to safeguard the information being held. A company handling this type of information, for example a health insurance provider, are known as a ‘Covered Entity’.
HIPAA and Australian Businesses
This legislation becomes a concern for Australian startups as more and more break into the US market from Australia or flip-up and move to the US. If you are providing Software as a Service (SaaS) or other products to a company that safeguards health information then you are likely considered a ‘business associate’ and should be aware that you are required to put adequate measures in place to protect information that your company may hold. The agreement required by HIPAA legislation that outlines your requirements is a Business Associate Agreement (BAA). A BAA will set out the permitted use of information, the required safeguards to protect data, reporting requirements, access that may be granted to sub-contractors.
If a company is found in breach of the HIPAA requirements then it may be subject to civil penalties. Even directors or employees within the company may be subject to criminal penalties depending on the type of breach.
Complying with HIPAA
If you intend to provide services to a Covered Entity then you will need to be prepared to meet the requirements of a BAA under the HIPAA. This will require specialist advice from lawyers and technical advisers who can provide guidance on the legal and practical implications of accepting this kind of client. There are also insurance options available to you in the event that there is a breach or other failure that leads to the possibility of civil penalties.
Depending on your volume of sales in the US, you may not even be aware if your systems are holding Protected Health Information. If you are concerned that this may be an issue for your business you should consider reducing your risk by prohibiting a company that handles Protected Health Information from using your platform or product. This can be incorporated into your SaaS or other terms and may reduce your liability. Given the potential risk to your business, it’s worth discussing this with a US firm that has specialist experience in this area.
Australian startups are finding their way into markets across the globe and interacting with clients in a way that could not have been contemplated when laws relating to the handling of information were first enacted. If you are expanding to a new market. you should always investigate what legal risks may arise and how you can address them. LegalVision can assist you with expanding your startup overseas or complying with overseas regulations. Questions? Call us on 1300 544 755.