As regulatory compliance continues to dominate the legal sector, dealing with multiple jurisdictions in nationwide organizations isn’t getting any simpler. For PurposeMed, a virtual healthcare company that utilizes technology to provide complex care to underserved communities, this intricacy is magnified by the sheer diversity of regulations that must be considered across different provinces.
Speaking to Lexpert, Abdullah Abunafeesa, GC at PurposeMed, says that to remain compliant and maintain public trust, companies need to prioritize data security and privacy, proper governance and employee education.
"The main issue for startups is that you have to navigate a complex regulatory landscape with limited resources," Abdullah explains. "For us in the healthcare industry, we have healthcare and privacy regulations, and the complexity there lies in that every jurisdiction we operate in has different regulations as well.”
In the healthcare sector, regulations are not just about compliance for compliance's sake – they’re essential in ensuring safety and maintaining public trust. This is particularly true for emerging areas like virtual healthcare, which Abdullah describes as "a newer medium of providing healthcare services" that naturally attracts regulatory scrutiny. This rapid evolution of virtual healthcare has led to a situation where laws are still catching up to the technology.
"Whenever you have these new ways of providing healthcare services, there is a public interest to regulate them, to make sure that they're done in a safe and compliant manner," Abdullah says.
Another significant challenge that PurposeMed faces, which is common across industries, is data privacy and security. In an era where data breaches can have catastrophic consequences, this is a critical area of focus. Abdullah tells Lexpert that the importance of understanding and complying with data privacy laws such as HIPAA in the United States and PIPEDA in Canada really can’t be understated.
"Data privacy and security are immense," he stresses. "The effective way to do this with limited resources is to develop a targeted regulatory strategy. You have to build your compliance framework around a central regulation that applies to most of the jurisdictions in which you operate (such as HIPAA for PurposeMed’s US operations). Then when you go to a jurisdiction with additional legislation, you already have the basis to address those requirements with minor adjustments.” Abdullah also recommends mapping your data to understand how data is being processed and retained, as well as implementing robust security measures to protect against breaches.
Moreover, Abdullah emphasizes the importance of having a small, dedicated compliance team that can stay current with regulatory changes and ensure that operations remain compliant.
“It could be even just one person or a group of people from different departments," he suggests, noting that these individuals generally come from legal, finance, security, and management to cover all bases.
Startups also need to instill a culture of compliance across the organization, where every employee understands their role in maintaining regulatory standards.
"Ensuring that your employee base is sufficiently educated" is crucial, Abdullah says, adding that it's important to build "a strong culture of compliance, where everyone feels a sense of ownership and responsibility for ensuring that compliance is upheld"
Balancing growth and governance is another tightrope that startups must walk. In fast-growing companies, there is often a tension between the need to move quickly and the necessity of maintaining robust governance structures. Abdullah likens this to a "push-pull" dynamic, where the desire to "move fast, break things" must be balanced by the need to avoid accumulating too much risk.
"If you don't build your governance and compliance structure properly, you'll continually accumulate risks. However, with the right structure in place, you'll be able to effectively manage and mitigate those risks." he says.
In his role, Abdullah focuses heavily on risk management, providing proactive legal guidance that helps the company navigate these challenges.
"It's about understanding what the business needs are and meeting the business where they are," he says. This involves not just identifying risks but also assessing their magnitude and communicating the potential impacts in a way that the management team can act upon.
Finally, intellectual property protection is another critical area for startups, particularly in fields like healthcare, where innovation is crucial.
"I've seen cases where a company builds its brand, only to discover that the trademark is already registered to someone else," Abdullah warns. This can lead to costly legal negotiations or force the company to rebrand, both of which can be devastating for a startup.