4 years ago by dekhn
First step: figure out if you are a covered entity or a business associate, or neither. If not, the law doesn't apply to you. However, you may still want to follow its guidelines.
it's an onerous law and many people now cite it when they don't want to provide information, even if the law doesn't apply to them.
4 years ago by bigiain
> First step: figure out if you are a covered entity or a business associate, or neither. If not, the law doesn't apply to you.
If you are a "covered entity" try and work out if you can stop being one. If you can avoid collecting HIPAA relevant data and still make your business model work, that's likely to be a significantly easier path to take than ensuring ongoing compliance. (Same as PCI compliance - outsource all that brain damage to Stripe or Square or whoever, and be able to look a judge in the eye and say "We never even see credit card data.")
4 years ago by donatj
PCI compliance is a little different as itās an industry standard and not a legal standard. Far less fear of prison time if you mess it up. That said itās still way better to outsource all that worry.
4 years ago by rsj_hn
Wise words. Information should be treated as toxic effluvia and HIPAA compliance (as well as GDPR and related laws) should be considered as superfund cleanup procedures. They are expensive, complex, and fraught with legal risk.
Don't collect information, don't store it, unless absolutely necessary and you can't find an expert certified third party to handle it for you.
4 years ago by sokoloff
We had a PCI QSA who argued that pages that linked out to payment processors were in full scope for PCI, because if compromised, they could be changed to point to a compromised payment entry site. Which logically means that pages which point to those pages are also in scope, all the way up the stack and suddenly everything is in full PCI scope.
Absolutely use a PSP to minimize your wasted effort on compliance activities, but also choose a sane QSA.
4 years ago by anonymouse008
Query ā if one makes an excel macro that consolidates PHI into a chart, that is then copy and pasted into a medical note, and no PHI is transmitted by the macro, but can instead be saved as a Marco-enabled xlsx file and emailed to another location... does that make one an CE/BA or not?
4 years ago by ryanSrich
IANAL
Itās actually way simpler than a lot of people here are making it out to be.
If you are storing OR transmitting PHI you are required to be HIPAA compliant. Thatās it.
4 years ago by Spooky23
If HIPAA compliance is difficult enough to come up with something like this, you have bigger problems.
There are very challenging compliance frameworks. HIPAA isnāt one of them.
4 years ago by Fomite
I'd say the first step is "Is this data even the kind where HIPAA compliance might be required?"
The number of people I know who conflate "human subjects data" and "HIPAA data" is staggering.
4 years ago by LorenPechtel
Yup, people should follow the "rules" even if they don't actually apply to them. Confidential personal information should be kept confidential short of a legal compulsion to divulge it.
Over my decades in IT I've seen plenty of things by accident (and once, not-accident. A guy was getting a lot of gay "spam" and wanted me to stop it. I went along with the cover story, knowing perfectly well it was message digests from a forum he had to have signed up for.) None of it gets repeated other than anonymized.
4 years ago by noodlesUK
This unfortunately seems to also be the case with GDPR in Europe. People use it as a scary sounding excuse for various nonsense, even when it clearly doesnāt apply. I recently heard a university claim that GDPR prevented them from recording lectures amongst other things. Iāve also heard numerous individuals complain that GDPR prevented them from doing one thing or another, when GDPR doesnāt apply to things individuals do in most cases. Well-publicised laws generally get this treatment, where people invoke their name as some sort of magic incantation to justify their action (or more often inaction), and know little to nothing about the law itself.
4 years ago by zamadatix
I'd be curious why University recordings weren't subject to GDPR myself. Consent could be had and managed but I could see this as enough trouble to just not do recordings as a result, especially since it can be withdrawn later.
4 years ago by noodlesUK
They are subject to the GDPR in so far as they might record students, who might then need to give consent, which could then be withdrawn. In so far as the lecturers are concerned, the lawful basis is likely not to be consent, but rather a contractual obligation, where different rules apply. If for instance, paid actors in films could arbitrarily exercise their right to be forgotten, that would not be a tenable situation.
The solution is clearly to not record students in any identifiable way, but thereās no need to avoid recording the lecture altogether. In fact, if the student were not identifiable, I expect it would be perfectly legitimate to record them without any explicit consent.
Disclaimer: I am not a lawyer, this isnāt legal advice
4 years ago by smnrchrds
I don't know anything about GDPR, but I guess at most it will protect students. If they only record professors while giving lectures, that can't be illegal, can it? And I'm sure the professor cannot withdraw consent for sharing the video anymore than an actor can withdraw consent from appearing in a film he had played in 10 years ago.
4 years ago by jamra
It seems like they're advertising their vault service for healthcare data. They then offer a disclaimer that they are not lawyers. How can you offer advice for such a risky area and then not stand behind it? Is your service also not verified by lawyers?
It seems like a marketing piece with the intention of showing off their product, but I found that part to be odd.
4 years ago by acoard
This is standard, and doesn't mean they aren't standing behind their work.
If you ever see "legal advice" (in the loosest sense of the term) being given in online forums, like /r/LegalAdvice, the phrase you see the most is IANAL[0] ā "I am not a lawyer." By actual lawyers, you usually see the variant "I am not your lawyer."
Being my lawyer means I have cilent-lawyer confidentiality and other privileges. But you commenting online, or writing a github repo, doesn't meet that standard. This might seem very obvious to you, but unfortunately I've seen people get this wrong a bunch. It's a component of ensuring we protect everyone's rights.
Essentially if you used that project and got in legal hot water, and then said, "but hey, I got legal advice from this github repo", well if they were lawyers they could lose their license. This is drilled into them as ethical behaviour. Getting it wrong comes with risk, and there's no benefit.
A lawyer is only going to give you advice once you're actually their client, have signed an engagement letter or similar, and most importantly they understand the facts of the case. Legal advice is case-specific, and giving general advice leads to wrong advice, which gets people in trouble.
[0] https://en.wikipedia.org/wiki/IANAL
https://en.wikipedia.org/wiki/Practice_of_law#Unauthorized_p...
4 years ago by SpicyLemonZest
The lawyers would have insisted on a disclaimer like that. The problem is that true legal advice as opposed to information or guidance - a judgment that suchandsuch solution fulfills your specific legal obligations in suchandsuch scenario - canāt ethically be given by lawyers without personal consultation and canāt legally be given by non-lawyers at all.
4 years ago by paulcole
> Is your service also not verified by lawyers
This is exceedingly common w/ service providers in the HIPAA compliance space. They want the benefit of sounding like an expert while washing their hands of any consequence if/when they have made a mistake.
4 years ago by faitswulff
Tangential, but since Signal doesnāt store user data, does that make it HIPAA compliant by default?
4 years ago by zamadatix
I'd recommend reading through the guide (at least the first part) for a better understanding but in short no.
Signal without a Business Associate agreement to handle PHI would be either be considered limited/incidental or as a conduit and not on the hook for PHI data going through them incidentally the risk would stay with the entities using it not Signal itself (and certainly not absolved).
Secondly it doesn't matter if data was only "in flight" when leaked and not stored. I.e. the availability of the protected information is what is regulated.
Thirdly Signal DOES store user data for up to quite a long time as it proxies the delivery of messages, just in an encrypted form (a plus for meeting requirements though) it's not supposed to be able to read and supposedly deletes it after it no longer needs to hold onto it.
Finally if someone hacked the Signal servers and a bug in the encryption was found or you forgot to check the conversation verification code and were being MITMd then it's still a violation anyways. That is you're good until you aren't - the encryption only protects you while it worked not because you tried (though if it is found you didn't have any encryption on some data that in itself is a fineable offense).
4 years ago by astura
Signal is not a "covered entity" under HIPAA[1], so they don't need to comply with HIPAA data privacy laws. HIPAA is not a generic medical privacy law, it basically only applies if insurance claims are involved. (The "I" in "HIPAA" stands for "insurance")
[1] https://www.cms.gov/Regulations-and-Guidance/Administrative-...
4 years ago by formalsystems
Adding to zamadatix's excellent points - it falls under the HIPAA Conduit Exception, which includes encrypted email and the US Postal Service, through which a healthcare provider can send PII with a reasonable expectation that the messages won't be intercepted in transit.
4 years ago by bearjaws
HIPAA is the lowest bar for healthcare now.
Most multi-hospital health systems won't even look at you without a SOC2 / HiTrust, combined with frequent security audits & pen tests.
4 years ago by jbluepolarbear
I use to work for a Medical Simulation company and they wanted to get into the Hospital data business for sepsis. I had to get HIPPA Certified before I could even get access to the databases of the āunidentifiableā information. Having the certification was more of a burden than useful. Thereās no such thing as unidentifiable hospital data. Instead of finding a connection to sepsis I found certain hospitals were ordering unneeded, or atypical, procedures which had resulted in a much lower fatality rate from sepsis. The project went nowhere and insurance companies werenāt interested in saving lives.
4 years ago by z3ugma
There's also not such a thing as "HIPPA Certified" and anyway it's "HIPAA". Do you mean you got some sort of training in how HIPAA privacy and security rules apply to you?
4 years ago by jbluepolarbear
There is(was?); this was in 2014/15. I donāt remember exactly why it was called. It was a hipaa data security certification. I sat in a weekend class and got a cert that was required by the 3 hospital data companies we were working with in the Denver/Colorado Springs area.
4 years ago by paulcole
But who provided the cert? Was it the US government or was it some 3rd-party profiting off HIPAA-confusion?
4 years ago by fl0wenol
The hospital is well within their right to request a 3rd party certification as a proxy for their evaluating a potential business associate before exchanging information, since as a covered entity they can be held liable for something that happens to the information they divulge.
4 years ago by mikewarot
HIPPA is going to lead to a lot of deaths, but you'll never be able to prove it. If Doctors and Nurses aren't allowed to hear about patients after they transition to another floor, department, facility, how are they supposed to have the feedback required to improve the standards of care?
ER staff used to keep tabs on their patients with other staff, to see how they were doing, and now they aren't allowed to do so. It's the road to hell paved with good intentions.
4 years ago by cjcampbell
Citations would be helpful for such a claim. I work with HIPAA daily, and while I agree that it has a lot of problems, the one you identify here would be an issue of misguided hospital policy. The hospitals would be absolutely within their rights to allow care teams to follow up with patients as they transition.
Now I could easily imagine HIPAA being used as a scapegoat for a set of restrictive policies that are actually being driven by other incentives.
4 years ago by SkyPuncher
I worked with HIPAA and am married to a physician. What he claimed isn't possible is entirely possible.
You are allowed to follow patient. You are allowed to track outcomes.
If a patient isn't actually in actually in your care, there are HIPAA defined means for reviewing cases for quality control.
4 years ago by Spooky23
That has nothing at all to do with HIPAA. The standards of care in many hospitals are really awful, but incompetence isnāt correlated with overly aggressive information policy.
4 years ago by claytongulick
HIPAA specifically states that provider to provider disclosure of PHI does not require patient consent.
4 years ago by mikewarot
I said at the outset it could never be proven. There will never be anything to cite, just a continuing trend towards mediocre medical practice in the USA.
I'm not a medical person, but have had family in that role. They couldn't comment on it, but I sure can.
Informal discussion of patients has been stopped. The feedback channels that allow for discovery of subtle problems and their solutions have been removed.
ER staff used to visit their patients, and keep in touch with them, this stopped with HIPPA. This is dehumanizing.
Imagine if developers weren't ever allowed to discuss bugs in their programs, unless they were actively working on the same bug? Think of how much that would kill productivity.
What if we weren't allowed to discuss any software or OS we currently don't have a license to use? That's about how strict HIPPA is when it comes to discussing patients, at least as implemented by Hospitals.
It is far far safer for them to shut all talk about patients down, in terms of patient satisfaction, lawyers, lawsuits and fines.
4 years ago by watertom
Unless you work in a hospital and experience the rules first hand I suggest you remember what you were taught in kindergarten, do repeat things youāve been told because they might not be true.
I work in a hospital and Iāve never seen anything remotely like what you described. Our hospital has some of the most sophisticated monitoring systems available for inappropriate patient information access.
4 years ago by light_hue_1
You don't have experience with HIPAA, and what you're describing is not at all true.
> Informal discussion of patients has been stopped. The feedback channels that allow for discovery of subtle problems and their solutions have been removed.
No way. I work with hospitals, there are plenty of feedback channels and cases get discussed at length. HIPAA does nothing at all to stop any communication or data sharing that is beneficial for patient safety.
> ER staff used to visit their patients, and keep in touch with them, this stopped with HIPPA. This is dehumanizing.
This is not at all true.
> Imagine if developers weren't ever allowed to discuss bugs in their programs, unless they were actively working on the same bug? Think of how much that would kill productivity.
Hospitals literally do these kinds of debriefs all the time. HIPAA does nothing to stop them at all.
> It is far far safer for them to shut all talk about patients down, in terms of patient satisfaction, lawyers, lawsuits and fines.
You totally misunderstood HIPAA, what it regulates, and how it regulates. It in no way shuts down conversations about patients. I deal with HIPAA-protected data and compliance all the time, I have no idea where you got this impression, but it was not from a doctor.
4 years ago by claytongulick
The issue you raise is the opposite of what the day to day concerns are.
Clinical systems, in general, are much too permissive and allow too much access to too many people.
There's absolutely nothing in HIPAA that prevents coordination of care or cross functional team communication.
HIPAA is actually a very well written law, and very reasonable.
It says things like, you can't use an EHR to mine patient data for marketing purposes.
You have to take privacy seriously and build safeguards.
You have to document that you did that.
You have to do risk analysis, and document breaches, and follow notification protocols.
I'm a former HITRUST auditor, and CTO of healthcare company. I've been deeply involved with this law for many years, and to date, I haven't found any part of it that I disagree with.
4 years ago by disillusioned
Man, I'm glad others are dragging you here, but HIPAA, pay attention here, SPECIFICALLY CARVES OUT INFORMATION SHARING IN THE CLINICAL ENVIRONMENT BY PRACTIONERS.
It SPECIFICALLY calls out that practitioners are allowed to describe in detail the medically relevant information of their patient to other people in the course of providing healthcare. This is NOT what HIPAA prevents, and to say otherwise is to completely understand both its stated intent AND how it's practically implemented in the field.
If you are a boarder patient (in a gurney in the hallway because there are no rooms available), a nurse or doctor IS ALLOWED to ask you questions, document your answers, and discuss your case in said hallway.
Informal discussions still happen ALL THE TIME, but practitioners use a room number rather than a patient's name, and because that information isn't personally identifiable, it's HIPAA compliant.
ER staff... still visit their patients. What on earth are you even talking about? Doctors and nurses round, they chart, they discuss and plan with one another. They communicate freely.
While there have absolutely been rare cases where information hasn't been shared as timely as it should have been (when, say, a requesting facility was foreign to another facility, and so data sharing was limited, wrongly, in the name of HIPAA), the positives of the law, which STOP a facility from just publishing your health data, or more importantly, prevent your health insurance company from broadcasting your data or selling it or using it for marketing purposes, is positive.
Patients should be able to receive quality healthcare without concern that their personal health history will be made public. HIPAA prevents the sharing of a patient's diagnosis or medical data without that patient's permission, which is how it should be.
But in terms of clinical outcomes, the hospitals still work. The nursing staff still works. And everyone knows damn sure they shouldn't be discussing a patient's name outside of work, or posting a case on the 'gram.
4 years ago by SkyPuncher
This comment demonstrates a lack of understanding of HIPAA.
All of what you described is allowed under HIPAA. It happens every day.
4 years ago by mikewarot
This thread represents a failure to communicate, please allow me to restate and clarify.
I followed up with my unnamed family who are in the medical world, to see if I was wrong (as the comments here so loudly proclaimed). I was told that I was generally correct and they shared my concern.
It appears I didn't express myself clearly enough, and other people weren't charitable enough in their reading of what I said to allow the benefit of the doubt.
I'll restate things, now that I've seen a day worth of feedback, as I'm interested in the truth, and not being right, I hope you'll allow this.
My observation is that the behavior of my family members has changed because of HIPPA.
Long term follow up of former patients, seems to have been completely shut down by HIPPA and the way the medical industrial complex interpreted it.
Informal learning of interesting cases (corner cases) seems to be another victim of HIPPA.
As a patient, I value privacy. I am concerned that the proverbial pendulum has swung too far, and we are cutting off a valuable (out of band signaling) mechanism for improving the practice of medicine.
Did I explain it better this time? What could I have stated differently, or more explicitly?
Thank you all for your time and attention.
4 years ago by primitivesuave
This is a very misinformed comment. I suggest you talk to pretty much anyone who works in healthcare before fabricating rhetoric about how the system works.
Daily digest email
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.