No fancy intro — let’s just get right into this.

Question 1: What does compliance mean in healthcare? 

Healthcare compliance is the process to meet all government rules and regulations imposed under several healthcare laws such as PHIPA, PIPEDA and HIPAA. 

Question 2: What does it mean to be healthcare compliant? 

Be it your healthcare app, software, website or any other clinical practice, when it works only according to the rules and regulations of applicable laws, it is called a healthcare compliant app or platform or clinical practice. 

For instance, if there is a requirement to ask permission of patients before storing their data on your healthcare mobile app, your app should have a feature that asks user permission and manages it. 

This is an example of one requirement. When your app follows all such requirements of the law, it becomes compliant with particular healthcare law. 

Because there are many different requirements under different healthcare laws. 

Question 3: What are the laws I should follow to be healthcare compliant?

It depends on the region you are doing clinical practice or planning to launch the healthcare app/platform.

For instance, HIPAA healthcare law applies to your app and clinical practice in the USA. 

Same way, PIPEDA law applies to you at the federal level in Canada. 

There are many other laws imposed by the state governments and apply to you in different provinces or states. 

Such as PHIPA in Ontario, HIA in Alberta etc.  

Question 4: Do government entities need to be compliant with healthcare laws? 

Yes, government entities must also meet all healthcare rules and regulations. However, there are dedicated laws imposed for government entities. 

For instance, there are two such laws in Ontario - FIPPA and MFIPPA. 

“FIPPA covers all ministries of the Ontario Government and any agency, board, commission, corporation or other body designated as an "institution" in the regulations.” 

“MFIPPA covers all municipal corporations, including a metropolitan, district or regional municipality, local boards and commissions.”

However, FIPPA is not healthcare-specific law. It protects the privacy of all individuals in Ontario including those who receive healthcare. 

Question 5: Does a small clinic or small startup need to be compliant with healthcare laws? 

Yes, regardless of the scale you’re operating, every startup, healthcare provider and even business partner of these healthcare providers and startups that handle patient data should adhere to healthcare compliance. 

Question 6: Do I need to comply with all the healthcare laws? 

Here, there are two scenarios. 

• You need to comply with all the laws that apply to you at the federal level. Such as PIPEDA in Canada and HIPAA in the USA. 
• But when it comes to provinces, you only need to comply with the laws of particular provinces where you want to launch your app or run a clinic. 

Question 7: Is there any healthcare compliance certificate?

No, you will be never asked by either a user or government to show the certificate that proves the compliance-readiness. Because there is no such certificate! 

However, it is advisable to keep all of your best practices of ensuring compliance-readiness well-documented. 

Because many laws including HIPAA ask you to have documented policies and procedures. 

Question 8: When there is no certificate, how can I prove that my app/software/practice is healthcare compliant? 

You don’t have to prove it actually. 

But yes, when a user lodges a complaint against your app or clinical practice at the Privacy Commissioner of Canada, they will ask you everything you do to ensure compliance readiness. 

You also need to prove compliance for getting funding from either investors or government agencies. 

If you’re developing a SaaS healthcare platform, your customers will also ask you to present compliance-readiness. 

This is why we earlier told you to document all of your technical and business efforts that directly affect the compliance of your app or clinical practice. 

Or, you can hire a compliance consultant that takes care of everything. He will work as the compliance certificate with his expertise and experience! 

Question 9: Why is compliance important in healthcare? 

Healthcare compliance is very important as it eliminates all the security issues out of the healthcare app/software and makes sure all patient data is safe and secure. 

And more importantly, if you violate it, you will be liable for the very hefty fine. 

Question 10: Is healthcare compliance mandatory? 

Particularly in Canada, there is no dedicated law forcing you to be compliant with healthcare laws. 

However, each individual healthcare law asks defined entities to be compliant with it. 

To keep patient data secure on your platform, to build trust among your users & investors and to keep yourself away from any legal trouble, it is a must to consider healthcare compliance. 

If your healthcare mobile app, software or clinical practice does not adhere to applicable laws, you as the organization can be liable for a fine of up to $500,000 and even more. 

Question 11: Are only healthcare apps/software need to be compliant with healthcare laws? 

Simply no. 

These healthcare laws apply to your entire organization including staff, their devices such as mobile phones, laptops, your business partners and your physical assets including servers. 

For instance, you have to hire a Security Officer or Privacy Officer. You have to make sure that no unauthorized users can access your physical servers. 

You have to provide your staff with annual compliance training. You have to use healthcare compliant servers to host your app or data. 

Question 12: How to be healthcare compliant? 

The following are the actionable steps. 

Suppose you’re developing a healthcare mobile app. 

• You need to draft a compliance strategy before even starting to develop your app as there are many technical requirements your app should work accordingly. 
• You also need to make sure that APIs you’re using in your app are also healthcare compliant APIs. 
• Some laws including HIPAA even ask you to sign a business associate agreement with your 3rd party business partners or service providers. 
• You should carry out TRA (Threat and Risk Assessment) on the app - with respect to applicable laws. 
• TRA reveals the app’s security vulnerabilities which you have to fix. Once you fix it, your app would become compliant with the law you’ve considered while carrying out TRA. 
• Sometimes, you need to carry out a separate compliance audit in case there are regulations you missed out to meet during TRA. 

You should also carry out PIA (Privacy Impact Analysis)  which validates the compliance-readiness of your entire organization. 

Meaning, PIA makes your organization compliant with applicable laws and TRA makes your software or application compliant with applicable laws.

Read this dedicated blog to know more about PIA and TRA. 

Question 13: Should I carry out a compliance audit or PIA and TRA only one time?

No. Many healthcare laws ask you to reevaluate your technical, operational and business compliance readiness once in the year. 

Meaning, you have to carry out a compliance audit or PIA and TRA every year - or the time frame applicable laws suggest. 

Question 14: Is there a PIA and TRA certificate? 

No. Neither government agencies nor individual companies provide one such certification. Because you actually don’t need it.

However, as stated earlier, you should document all business and technical aspects you’ve covered while carrying out PIA and TRA. 

This will help you in the event of a privacy commissioner inquiry, funding and acquiring customers. 

PIA is also useful when you need to integrate an EHR system with your app or platform. 

Because there are EHR systems such as Alberta Netcare Portal (Alberta's public EHR system) that requires you to have a PIA document to integrate it with your app or platform. 

Question 15: How much does it cost to be compliant with the healthcare laws in Canada and the USA? 

You have two options. You can hire a dedicated resource (in-house compliance officer) or you can hire a service providing company (compliance consultant or expert on an hourly basis). 

If you choose option one - the annual salary of a senior compliance professional can be anywhere from $100,000-$250,000+. 

Whereas, if you hire a compliance consultant or expert on an hourly basis through a compliance consulting service providing company, they charge $180+ per hour. 

Considering the fact that you only need a compliance consultant once a year, it is better to tie up with some compliance consulting service providing company. 

Still, have doubts? Talk to our compliance experts. We help with healthcare compliance, PIA, TRA and security  

We're an Ontario-based team of compliance experts. 

We’ve studied, analyzed and mastered all of the healthcare laws and regulations in Canada and the USA. 

We in fact worked with many healthcare providers including hospitals and healthcare startups to solve their compliance-related challenges. 

We even helped app development companies to develop healthcare compliant mobile apps and software. 

You can check out our recent case study which talks about how we eliminated 47 security risks out of the app and made it a HIPAA compliant app. 

We believe that healthcare compliance isn’t something that troubles startups and healthcare providers. Instead, it should be easy, fun and widely followed. 

Just share your requirements with us. We will provide you with a full roadmap and technical help.