How To Pursue New Business Opportunities With HIPAA Compliance

by Josh Biggs in Business on 8th February 2022

The Health Insurance Portability and Accountability Act (HIPAA) was passed into law in 1996. The purpose of the law was to safeguard Personal/Protected Health Information (PHI) stored in the computer databases of hospitals and other healthcare institutions. It came as a response to the number of data privacy breaches done by hackers who stole PHI.

The HIPAA rules require all businesses that come into contact with PHI or electronic PHI to comply with standards and regulations. This means you can’t do any business that handles PHI if you’re not HIPAA compliant. If you started a business processing firm for medical transcription in 2015, for instance, you won’t be able to cater to healthcare institutions anymore if you don’t comply with HIPAA. Here’s how you can pursue new business opportunities if you become HIPAA-compliant.  

  1. Businesses Covered By HIPAA

There are two main types of businesses that are subjected to the rules and regulations of the HIPAA. The first is called ‘covered entities’ or covered institutions. These are businesses and institutions that are part of the healthcare industry. This category includes hospitals, healthcare institutions, healthcare providers, clinics, medical insurance companies, pre-employment testing clinics, and other entities that handle electronic Protected Health Information (ePHI).

But there’s a second category of businesses that may not be part of the healthcare industry but are subject to the HIPAA rules if they go into business activities and operations which would involve the handling of ePHI. Any business entity which handles PHI in line with its contractual obligations or transactions with a covered entity is referred to as a ‘business associate.’ Under the HIPAA rules, business associates are required to comply with the same HIPAA regulations and standards. 

  1. Ensure That Your Business Is HIPAA-Compliant

If you want to pursue new business opportunities with entities and institutions that are covered by the HIPAA rules, you have to make sure that your own business would meet the standards and regulations required under the HIPAA Rules. Covered entities won’t do business with you if your business doesn’t comply with HIPAA standards in the first place. Here are some of the things you need to comply with:

  • Privacy Rule – You need to make sure that you can protect the data of patients, called PHI, from any potential breach of information due to any vulnerability or threat.
  • Security Rule – You need to ensure that your business can secure the PHI by providing administrative, physical, and technical safeguards. You should also conduct a periodic risk assessment and audit to guarantee that you’ve mapped out all the foreseeable gaps in your network security and infrastructure.
  1. Show To Potential Clients Your HIPAA-Compliant Capabilities

When you’ve already made your business management systems, network security, and network infrastructure compliant with HIPAA standards and regulations, you can start marketing your business services to potential clients.

Keep in mind that covered entities and their business associates strive to comply with the HIPAA rules because of the steep costs that would be brought by any breach of ePHI privacy and security. The fines and penalties mandated under HIPAA run up to millions of dollars. This could potentially bankrupt even large hospitals and healthcare institutions. Even if they could get business insurance for any liability under HIPAA, a breach of privacy and security could set back their business reputation and increase their insurance premiums to expensive levels.  

With this in mind, the aim of your business development and marketing efforts should focus on alleviating the worries of covered entities. What they would want to see from you are your network resources and capabilities that could ensure that they can share their ePHI database with you without the risk of a breach. 

Their reputation and trustworthiness will depend on the security of their patient data. If the names and other details of their patients such as contact information or history of illnesses are stolen and published online, no one might trust them anymore. 

When you pitch your proposal, make sure that you present to the prospective client the measures that you’ve put in place to protect ePHI from data breaches, vulnerabilities, and potential threats from hackers.   

  1. Present Your Remediation Capabilities

Covered entities know that despite all the best efforts, there’s no such thing as a perfectly impregnable IT system. All businesses have their vulnerabilities, the threats are as varied as the many risks and uncertainties in life, and hackers are always developing ways to get in and steal data. You’ll just have to show them that you have a damage control and remediation plan in case of a breach of privacy, coupled with a presentation of your risk remediation capabilities.


There’s a growing demand from entities and institutions covered by the HIPAA rules for third-party vendors and service providers who can help them with their IT requirements. But they’re very picky with whom they deal with because of the stringent requirements and heavy penalties under HIPAA in case of a breach of data privacy and security. To make the most of these business opportunities, you have to show clients that your capabilities and resources can bring down the risk of a breach at an affordable cost. 

Categories: Business