A developers guide to HIPAA compliance

> First step: figure out if you are a covered entity or a business associate, or neither. If not, the law doesn't apply to you.

If you are a "covered entity" try and work out if you can stop being one. If you can avoid collecting HIPAA relevant data and still make your business model work, that's likely to be a significantly easier path to take than ensuring ongoing compliance. (Same as PCI compliance - outsource all that brain damage to Stripe or Square or whoever, and be able to look a judge in the eye and say "We never even see credit card data.")

I'd say the first step is "Is this data even the kind where HIPAA compliance might be required?"

The number of people I know who conflate "human subjects data" and "HIPAA data" is staggering.

Yup, people should follow the "rules" even if they don't actually apply to them. Confidential personal information should be kept confidential short of a legal compulsion to divulge it.

Over my decades in IT I've seen plenty of things by accident (and once, not-accident. A guy was getting a lot of gay "spam" and wanted me to stop it. I went along with the cover story, knowing perfectly well it was message digests from a forum he had to have signed up for.) None of it gets repeated other than anonymized.

This unfortunately seems to also be the case with GDPR in Europe. People use it as a scary sounding excuse for various nonsense, even when it clearly doesn’t apply. I recently heard a university claim that GDPR prevented them from recording lectures amongst other things. I’ve also heard numerous individuals complain that GDPR prevented them from doing one thing or another, when GDPR doesn’t apply to things individuals do in most cases. Well-publicised laws generally get this treatment, where people invoke their name as some sort of magic incantation to justify their action (or more often inaction), and know little to nothing about the law itself.

This is standard, and doesn't mean they aren't standing behind their work.

If you ever see "legal advice" (in the loosest sense of the term) being given in online forums, like /r/LegalAdvice, the phrase you see the most is IANAL[0] – "I am not a lawyer." By actual lawyers, you usually see the variant "I am not your lawyer."

Being my lawyer means I have cilent-lawyer confidentiality and other privileges. But you commenting online, or writing a github repo, doesn't meet that standard. This might seem very obvious to you, but unfortunately I've seen people get this wrong a bunch. It's a component of ensuring we protect everyone's rights.

Essentially if you used that project and got in legal hot water, and then said, "but hey, I got legal advice from this github repo", well if they were lawyers they could lose their license. This is drilled into them as ethical behaviour. Getting it wrong comes with risk, and there's no benefit.

A lawyer is only going to give you advice once you're actually their client, have signed an engagement letter or similar, and most importantly they understand the facts of the case. Legal advice is case-specific, and giving general advice leads to wrong advice, which gets people in trouble.

[0] https://en.wikipedia.org/wiki/IANAL

https://en.wikipedia.org/wiki/Practice_of_law#Unauthorized_p...

The lawyers would have insisted on a disclaimer like that. The problem is that true legal advice as opposed to information or guidance - a judgment that suchandsuch solution fulfills your specific legal obligations in suchandsuch scenario - can’t ethically be given by lawyers without personal consultation and can’t legally be given by non-lawyers at all.

> Is your service also not verified by lawyers

This is exceedingly common w/ service providers in the HIPAA compliance space. They want the benefit of sounding like an expert while washing their hands of any consequence if/when they have made a mistake.

I'd recommend reading through the guide (at least the first part) for a better understanding but in short no.

Signal without a Business Associate agreement to handle PHI would be either be considered limited/incidental or as a conduit and not on the hook for PHI data going through them incidentally the risk would stay with the entities using it not Signal itself (and certainly not absolved).

Secondly it doesn't matter if data was only "in flight" when leaked and not stored. I.e. the availability of the protected information is what is regulated.

Thirdly Signal DOES store user data for up to quite a long time as it proxies the delivery of messages, just in an encrypted form (a plus for meeting requirements though) it's not supposed to be able to read and supposedly deletes it after it no longer needs to hold onto it.

Finally if someone hacked the Signal servers and a bug in the encryption was found or you forgot to check the conversation verification code and were being MITMd then it's still a violation anyways. That is you're good until you aren't - the encryption only protects you while it worked not because you tried (though if it is found you didn't have any encryption on some data that in itself is a fineable offense).

Signal is not a "covered entity" under HIPAA[1], so they don't need to comply with HIPAA data privacy laws. HIPAA is not a generic medical privacy law, it basically only applies if insurance claims are involved. (The "I" in "HIPAA" stands for "insurance")

[1] https://www.cms.gov/Regulations-and-Guidance/Administrative-...

Adding to zamadatix's excellent points - it falls under the HIPAA Conduit Exception, which includes encrypted email and the US Postal Service, through which a healthcare provider can send PII with a reasonable expectation that the messages won't be intercepted in transit.

There's also not such a thing as "HIPPA Certified" and anyway it's "HIPAA". Do you mean you got some sort of training in how HIPAA privacy and security rules apply to you?

Citations would be helpful for such a claim. I work with HIPAA daily, and while I agree that it has a lot of problems, the one you identify here would be an issue of misguided hospital policy. The hospitals would be absolutely within their rights to allow care teams to follow up with patients as they transition.

Now I could easily imagine HIPAA being used as a scapegoat for a set of restrictive policies that are actually being driven by other incentives.

This comment demonstrates a lack of understanding of HIPAA.

All of what you described is allowed under HIPAA. It happens every day.

This thread represents a failure to communicate, please allow me to restate and clarify.

I followed up with my unnamed family who are in the medical world, to see if I was wrong (as the comments here so loudly proclaimed). I was told that I was generally correct and they shared my concern.

It appears I didn't express myself clearly enough, and other people weren't charitable enough in their reading of what I said to allow the benefit of the doubt.

I'll restate things, now that I've seen a day worth of feedback, as I'm interested in the truth, and not being right, I hope you'll allow this.

My observation is that the behavior of my family members has changed because of HIPPA.

Long term follow up of former patients, seems to have been completely shut down by HIPPA and the way the medical industrial complex interpreted it.

Informal learning of interesting cases (corner cases) seems to be another victim of HIPPA.

As a patient, I value privacy. I am concerned that the proverbial pendulum has swung too far, and we are cutting off a valuable (out of band signaling) mechanism for improving the practice of medicine.

Did I explain it better this time? What could I have stated differently, or more explicitly?

Thank you all for your time and attention.

This is a very misinformed comment. I suggest you talk to pretty much anyone who works in healthcare before fabricating rhetoric about how the system works.