8 hours ago by dekhn
First step: figure out if you are a covered entity or a business associate, or neither. If not, the law doesn't apply to you. However, you may still want to follow its guidelines.
it's an onerous law and many people now cite it when they don't want to provide information, even if the law doesn't apply to them.
5 hours ago by bigiain
> First step: figure out if you are a covered entity or a business associate, or neither. If not, the law doesn't apply to you.
If you are a "covered entity" try and work out if you can stop being one. If you can avoid collecting HIPAA relevant data and still make your business model work, that's likely to be a significantly easier path to take than ensuring ongoing compliance. (Same as PCI compliance - outsource all that brain damage to Stripe or Square or whoever, and be able to look a judge in the eye and say "We never even see credit card data.")
4 minutes ago by donatj
PCI compliance is a little different as itâs an industry standard and not a legal standard. Far less fear of prison time if you mess it up. That said itâs still way better to outsource all that worry.
3 hours ago by anonymouse008
Query â if one makes an excel macro that consolidates PHI into a chart, that is then copy and pasted into a medical note, and no PHI is transmitted by the macro, but can instead be saved as a Marco-enabled xlsx file and emailed to another location... does that make one an CE/BA or not?
2 hours ago by ryanSrich
IANAL
Itâs actually way simpler than a lot of people here are making it out to be.
If you are storing OR transmitting PHI you are required to be HIPAA compliant. Thatâs it.
2 hours ago by Spooky23
If HIPAA compliance is difficult enough to come up with something like this, you have bigger problems.
There are very challenging compliance frameworks. HIPAA isnât one of them.
4 hours ago by rsj_hn
Wise words. Information should be treated as toxic effluvia and HIPAA compliance (as well as GDPR and related laws) should be considered as superfund cleanup procedures. They are expensive, complex, and fraught with legal risk.
Don't collect information, don't store it, unless absolutely necessary and you can't find an expert certified third party to handle it for you.
4 hours ago by sokoloff
We had a PCI QSA who argued that pages that linked out to payment processors were in full scope for PCI, because if compromised, they could be changed to point to a compromised payment entry site. Which logically means that pages which point to those pages are also in scope, all the way up the stack and suddenly everything is in full PCI scope.
Absolutely use a PSP to minimize your wasted effort on compliance activities, but also choose a sane QSA.
5 hours ago by noodlesUK
This unfortunately seems to also be the case with GDPR in Europe. People use it as a scary sounding excuse for various nonsense, even when it clearly doesnât apply. I recently heard a university claim that GDPR prevented them from recording lectures amongst other things. Iâve also heard numerous individuals complain that GDPR prevented them from doing one thing or another, when GDPR doesnât apply to things individuals do in most cases. Well-publicised laws generally get this treatment, where people invoke their name as some sort of magic incantation to justify their action (or more often inaction), and know little to nothing about the law itself.
5 hours ago by zamadatix
I'd be curious why University recordings weren't subject to GDPR myself. Consent could be had and managed but I could see this as enough trouble to just not do recordings as a result, especially since it can be withdrawn later.
13 minutes ago by smnrchrds
I don't know anything about GDPR, but I guess at most it will protect students. If they only record professors while giving lectures, that can't be illegal, can it? And I'm sure the professor cannot withdraw consent for sharing the video anymore than an actor can withdraw consent from appearing in a film he had played in 10 years ago.
an hour ago by jbluepolarbear
I use to work for a Medical Simulation company and they wanted to get into the Hospital data business for sepsis. I had to get HIPPA Certified before I could even get access to the databases of the âunidentifiableâ information. Having the certification was more of a burden than useful. Thereâs no such thing as unidentifiable hospital data. Instead of finding a connection to sepsis I found certain hospitals were ordering unneeded, or atypical, procedures which had resulted in a much lower fatality rate from sepsis. The project went nowhere and insurance companies werenât interested in saving lives.
36 minutes ago by z3ugma
There's also not such a thing as "HIPPA Certified" and anyway it's "HIPAA". Do you mean you got some sort of training in how HIPAA privacy and security rules apply to you?
5 hours ago by faitswulff
Tangential, but since Signal doesnât store user data, does that make it HIPAA compliant by default?
5 hours ago by zamadatix
I'd recommend reading through the guide (at least the first part) for a better understanding but in short no.
Signal without a Business Associate agreement to handle PHI would be either be considered limited/incidental or as a conduit and not on the hook for PHI data going through them incidentally the risk would stay with the entities using it not Signal itself (and certainly not absolved).
Secondly it doesn't matter if data was only "in flight" when leaked and not stored. I.e. the availability of the protected information is what is regulated.
Thirdly Signal DOES store user data for up to quite a long time as it proxies the delivery of messages, just in an encrypted form (a plus for meeting requirements though) it's not supposed to be able to read and supposedly deletes it after it no longer needs to hold onto it.
Finally if someone hacked the Signal servers and a bug in the encryption was found or you forgot to check the conversation verification code and were being MITMd then it's still a violation anyways. That is you're good until you aren't - the encryption only protects you while it worked not because you tried (though if it is found you didn't have any encryption on some data that in itself is a fineable offense).
4 hours ago by astura
Signal is not a "covered entity" under HIPAA[1], so they don't need to comply with HIPAA data privacy laws. HIPAA is not a generic medical privacy law, it basically only applies if insurance claims are involved. (The "I" in "HIPAA" stands for "insurance")
[1] https://www.cms.gov/Regulations-and-Guidance/Administrative-...
6 hours ago by mikewarot
HIPPA is going to lead to a lot of deaths, but you'll never be able to prove it. If Doctors and Nurses aren't allowed to hear about patients after they transition to another floor, department, facility, how are they supposed to have the feedback required to improve the standards of care?
ER staff used to keep tabs on their patients with other staff, to see how they were doing, and now they aren't allowed to do so. It's the road to hell paved with good intentions.
5 hours ago by cjcampbell
Citations would be helpful for such a claim. I work with HIPAA daily, and while I agree that it has a lot of problems, the one you identify here would be an issue of misguided hospital policy. The hospitals would be absolutely within their rights to allow care teams to follow up with patients as they transition.
Now I could easily imagine HIPAA being used as a scapegoat for a set of restrictive policies that are actually being driven by other incentives.
2 hours ago by SkyPuncher
I worked with HIPAA and am married to a physician. What he claimed isn't possible is entirely possible.
You are allowed to follow patient. You are allowed to track outcomes.
If a patient isn't actually in actually in your care, there are HIPAA defined means for reviewing cases for quality control.
2 hours ago by Spooky23
That has nothing at all to do with HIPAA. The standards of care in many hospitals are really awful, but incompetence isnât correlated with overly aggressive information policy.
5 hours ago by mikewarot
I said at the outset it could never be proven. There will never be anything to cite, just a continuing trend towards mediocre medical practice in the USA.
I'm not a medical person, but have had family in that role. They couldn't comment on it, but I sure can.
Informal discussion of patients has been stopped. The feedback channels that allow for discovery of subtle problems and their solutions have been removed.
ER staff used to visit their patients, and keep in touch with them, this stopped with HIPPA. This is dehumanizing.
Imagine if developers weren't ever allowed to discuss bugs in their programs, unless they were actively working on the same bug? Think of how much that would kill productivity.
What if we weren't allowed to discuss any software or OS we currently don't have a license to use? That's about how strict HIPPA is when it comes to discussing patients, at least as implemented by Hospitals.
It is far far safer for them to shut all talk about patients down, in terms of patient satisfaction, lawyers, lawsuits and fines.
4 hours ago by watertom
Unless you work in a hospital and experience the rules first hand I suggest you remember what you were taught in kindergarten, do repeat things youâve been told because they might not be true.
I work in a hospital and Iâve never seen anything remotely like what you described. Our hospital has some of the most sophisticated monitoring systems available for inappropriate patient information access.
3 hours ago by light_hue_1
You don't have experience with HIPAA, and what you're describing is not at all true.
> Informal discussion of patients has been stopped. The feedback channels that allow for discovery of subtle problems and their solutions have been removed.
No way. I work with hospitals, there are plenty of feedback channels and cases get discussed at length. HIPAA does nothing at all to stop any communication or data sharing that is beneficial for patient safety.
> ER staff used to visit their patients, and keep in touch with them, this stopped with HIPPA. This is dehumanizing.
This is not at all true.
> Imagine if developers weren't ever allowed to discuss bugs in their programs, unless they were actively working on the same bug? Think of how much that would kill productivity.
Hospitals literally do these kinds of debriefs all the time. HIPAA does nothing to stop them at all.
> It is far far safer for them to shut all talk about patients down, in terms of patient satisfaction, lawyers, lawsuits and fines.
You totally misunderstood HIPAA, what it regulates, and how it regulates. It in no way shuts down conversations about patients. I deal with HIPAA-protected data and compliance all the time, I have no idea where you got this impression, but it was not from a doctor.
2 hours ago by disillusioned
Man, I'm glad others are dragging you here, but HIPAA, pay attention here, SPECIFICALLY CARVES OUT INFORMATION SHARING IN THE CLINICAL ENVIRONMENT BY PRACTIONERS.
It SPECIFICALLY calls out that practitioners are allowed to describe in detail the medically relevant information of their patient to other people in the course of providing healthcare. This is NOT what HIPAA prevents, and to say otherwise is to completely understand both its stated intent AND how it's practically implemented in the field.
If you are a boarder patient (in a gurney in the hallway because there are no rooms available), a nurse or doctor IS ALLOWED to ask you questions, document your answers, and discuss your case in said hallway.
Informal discussions still happen ALL THE TIME, but practitioners use a room number rather than a patient's name, and because that information isn't personally identifiable, it's HIPAA compliant.
ER staff... still visit their patients. What on earth are you even talking about? Doctors and nurses round, they chart, they discuss and plan with one another. They communicate freely.
While there have absolutely been rare cases where information hasn't been shared as timely as it should have been (when, say, a requesting facility was foreign to another facility, and so data sharing was limited, wrongly, in the name of HIPAA), the positives of the law, which STOP a facility from just publishing your health data, or more importantly, prevent your health insurance company from broadcasting your data or selling it or using it for marketing purposes, is positive.
Patients should be able to receive quality healthcare without concern that their personal health history will be made public. HIPAA prevents the sharing of a patient's diagnosis or medical data without that patient's permission, which is how it should be.
But in terms of clinical outcomes, the hospitals still work. The nursing staff still works. And everyone knows damn sure they shouldn't be discussing a patient's name outside of work, or posting a case on the 'gram.
2 hours ago by SkyPuncher
This comment demonstrates a lack of understanding of HIPAA.
All of what you described is allowed under HIPAA. It happens every day.
4 hours ago by 1996
And on the opposite side, I would love it if I could have hospitals destroy all my records as soon as I leave, because I value my privacy more than their fetishist interest in collecting information that would put google to shame.
After trying in vain, I've realized it's fighting windmills on an uphill battle, an I just do medical tourism. No records, paid in cash, in a different country each time
4 hours ago by watertom
Hospitals wish they could destroy your data as well, state laws dictate that hospitals and doctors retain the data, in some states for as long as 15 years.
Hospitals would love to treat you as new patient every time through the door, that way itâs your responsibility to inform them of everything and anything that might impact care, it would eliminate a ton of liability for the hospital.
Start writing you state government officials and get your laws changed.
If worked for a social networking company, and I work for a hospital, you are a fool if you think hospitals have more data. At the social networking company we knew about all you health issues, we knew about your affairs, your spouses affairs, everything youâve bought in the last 10 years, we knew if your children were actually yours, everything your children were up to, we ankles to n all your text messages, all those years their chatting you platforms, we had reciprocal agreements with them all. We knew everything you ever searched for, every porn site you visited, all your fetishâs, how much you made, your bank amounts. EVERYTHING.
4 hours ago by 1996
> Start writing you state government officials and get your laws changed.
I'm lazy. I travel instead. Medical tourism gives me higher quality healthcare.
> EVERYTHING
You wish. I use tor and have had no social network presence for over 10 years.
4 hours ago by mikewarot
Differential diagnosis is a valuable medical technique... and you want to eliminate all possible baseline information.
3 hours ago by 1996
Yes, my privacy comes before everything, including my health.
When your medical records are leaked (only a question of time) you can't say you weren't warned.
Daily digest email
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.