Uber Is in Healthcare. So How Is It Handling HIPAA?

Uber recognized that it had a bull’s eye on its back. It was roughly 2 years ago, and the tech ride-share giant had set its sights on cutting the country’s sky-high number of missed medical appointments. Uber figured its army of drivers could help while simultaneously expanding the company’s reach to yet another industry. But before it could enter healthcare, Uber needed to overcome a major obstacle: complying with the Health Insurance Portability and Accountability Act, better known as HIPAA.

To prevent potential problems, the architects of what would become Uber Health looked to a HIPAA compliance and cybersecurity firm based in Nashville, Tennessee. Last June, Clearwater Compliance performed a HIPAA risk analysis of everything surrounding Uber Health and its dashboard and tech, ultimately concluding that the venture had “an unusually robust security environment,” according to the firm.

The determination was a critical one for Uber Health. Today at HIMSS 2018 in Las Vegas, Nevada, Healthcare Analytics News™ caught up with the people who are driving Uber Health and its security efforts. We learned what the organization has done to prepare for its launch, which occurred just last week, and got some of the down-and-dirty details.

“This was really about taking our time and doing it right,” said Lauren Steingold, senior strategist for Uber Health. “We wanted to find the right partner who would not only help us achieve HIPAA compliance but would help us understand HIPAA compliance and then maintain HIPAA compliance—and really get our team to be thinking in that way all the time.”

The results: For one, Uber Health, which providers use to book rides for patients, is off the ground. It also has completed pilot projects with roughly 100 partners. Broadly, the company has learned how to handle this particularly sensitive portion of its business.

Uber Health data, including all protected health information, are cordoned off from the rest of the organization, confined to a “very small team,” Steingold said. In an effort to keep prices affordable and drive times low, the company is using UberX drivers to transport patients to their appointments.

That means those individuals should be ambulatory and lucid, without the need for any additional level of service. And for the drivers: “They don’t know that their ride is any different than a standard UberX ride,” Steingold said, describing another effort to protect patient information.

Still, the engineering, product, sales, and support squads have all undergone HIPAA compliance training, helping them to navigate the complexities of the system and answer questions from partners, riders, and drivers.

Uber Health also encrypts data, both in transit and at rest.

Long before anyone muttered the name Uber Health, its major players had been in talks with 2 law firms that focus on risk and compliance. They each independently referred the tech standout to Clearwater Compliance, headed by Bob Chaput, a longtime executive for companies like GE and Johnson & Johnson. He had come out of retirement—for the second time—in early 2009 to help companies and health systems meet the demands of HIPAA and actually secure their sensitive data.

Clearwater and Uber began talks in 2016, which led to a risk analysis last summer. Chaput declined to say what vulnerabilities his team found, but one thing struck him: Uber Health was getting out ahead of the problem, a rare move in an industry where many are hesitant to spend money on cybersecurity and the like because it doesn’t make money.

“I don’t know if it’s a sea change or how sweeping a change,” Chaput said, “but as compared to where HIPAA stood generally, from 2009 to 2010, this is a pretty significant thing, for this to be a matter of import for the company potentially hiring Uber as well as Uber itself.”

Chaput and his Clearwater team aimed to develop the right policies and procedures, ensure that Uber enforces and complies with those rules, and take reasonable and appropriate actions to protect health data—the bedrock of HIPAA security. Uber Health’s business model might have been unique, but its threats remained similar to those looming over the rest of healthcare.

A lot was at stake. Of 55 recent cases that the federal Department of Health & Human Services Office for Civil Rights marked for corrective action plans or settlement agreements, 41 involved electronic protected health information. In 37 of those 41 instances, risk analyses dug up adverse findings. That meant that healthcare had not taken risk and security as seriously as it should have, and violators got dinged.

But the steps taken by Uber Health have resulted in good news: Its healthcare organization partners are signing business associate agreements, a sign of their trust in the project and its data safeguards.

“We felt it was important to build a very robust HIPAA compliance program, not just check a box,” Uber Health’s Steingold said.

Still, as Chaput noted, HIPAA compliance doesn’t end with the construction of a program. When compliance and security initiatives fail, business associates “vote with their feet,” he said. Uber Health, therefore, will need to continue refining its approach as time goes on. “It’s a journey, not a destination,” he said.

Related

It Turns Out that Uber Is the Uber of Healthcare

5 Times Healthcare Companies Were Compared to Uber in 2017

Even Amazon, JP Morgan, and Berkshire Hathaway Don't Know All the Details of Their Healthcare Company