Comment by otterley

Comment by otterley 9 days ago

38 replies

View on Hacker News

If you're dealing with personal health information (PHI), I would advise you to temporarily close your site and hire a lawyer straight away. Whenever you touch this kind of data, regulatory regimes like HIPAA may apply, and you need to be extremely careful. There's not a HIPAA compliance or even a privacy policy statement available on your front page.

See https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg... as a starting point. We might be able to recommend a lawyer to you if you tell us which state you're located in.

imglorp 8 days ago

This is a frustrating conversation.

It appears that anonymized data medical data are being sold en masse by providers (*) because money. But it's also obvious to us tech folk how trivial it is to combine anonymized patient encounters with location and credit card purchase data etc to de-anonymize it and resell as enriched.

So the only people who are effectively bound by HIPAA are the well-intentioned ones who have to protect themselves and and comply; the rest are laughing at them on the way to the bank.

* https://www.theverge.com/2021/6/23/22547397/medical-records-...

* https://www.scientificamerican.com/article/how-data-brokers-...

* https://www.medicaleconomics.com/view/who-profits-our-medica...

Reply View 3 replies
  • PittleyDunkin 8 days ago

    > the rest are laughing at them on the way to the bank.

    My understanding is that HIPAA is intended to stop providers from colluding against the patient, not to stop providers or middlemen from enriching themselves with our data.

    Reply View 1 reply
    • otterley 8 days ago

      And also to make PHI portable across providers.

      Reply View 0 replies
hiatus 8 days ago

To my knowledge, HIPAA applies only to entities that accept health insurance or provide services to those entities under a BAA. There have been FTC cases against companies disclosing PHI in breaches but they don't seem to be brought under any HIPAA violation but consumer protection statutes.

From your link:

> The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities")

Reply View 2 replies
  • parsimo2010 8 days ago

    HIPAA applies to covered entities, and this app may not be considered a covered entity (the closest they come is a clearinghouse and they probably do not fit the definition), but HIPAA has rules concerning how covered entities deal with business associates.

    Kate's App would almost certainly fall under the definition of a business associate, and no health care provider should be entering protected information into the app without entering into an official agreement that the data will be protected according to HIPAA rules.

    So technically Kate's App isn't doing anything illegal, but any health care provider entering info into this app would be. To fix the situation, Kate's App needs to certify that their app is compliant and provide an official agreement for providers. Otherwise healthcare providers should stay away, and this app would only be useful for friends and family members.

    (I am not a lawyer, but I have analyzed health care data and it's cumbersome to deal with, especially if you are transmitting over a network). https://www.hhs.gov/hipaa/for-professionals/covered-entities...

    Reply View 1 reply
    • hiatus 7 days ago

      > To fix the situation, Kate's App needs to certify that their app is compliant and provide an official agreement for providers. Otherwise healthcare providers should stay away, and this app would only be useful for friends and family members.

      The OP mentions this is for family members and specifically excludes medical providers from the intended audience.

      > This is not a clinic portal, and is not associated with any insurance or medical providers.

      It seems the target audience is multiple family members involved in coordinating a loved one's care.

      Reply View 0 replies
jph 9 days ago

> Whenever you touch this kind of data, regulatory regimes like HIPAA apply,

My understanding is you're an actual attorney, yes?

Can you shed any light on this area...? My understanding is HIPAA and similar laws aren't applied as a result of a user disclosing their own information for their own purposes. For example, you can freely put your own personal medical information into Google Docs, Apple Notes, Facebook post, X tweet, Excel spreadsheet, etc.

I ask because Kate's App is similar in ways to my app BoldContacts, which is helps people care for their parents and disabled loved ones. I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

https://boldcontacts.org

Reply View 4 replies
  • otterley 9 days ago

    I can't provide legal advice here; sorry. But I will say that there is a pretty big difference between hosting arbitrary customer-provided data where the customer can enter either kitchen recipes or medical data at their choosing, and stating that your service is intended to store PHI and attracting such information as a result.

    Reply View 0 replies
  • colechristensen 9 days ago

    I'm not a lawyer so I can give a little bit of legal advice, but... yeah get a lawyer.

    Anybody who is a healthcare provider, anybody who gets paid to do anything that smells even a little bit like health care shouldn't touch this with a ten foot pole. They shouldn't look at it or touch it or think about it very intensely.

    If you don't want to be in violation, don't receive medical information, don't store it, don't advertise that you handle it in any way.

    Good advice:

    - don't do anything at all that suggests that you will handle anything that even slightly hints it is storing, transmitting, or in any way touching healthcare information without being HIPAA compliant.

    - especially don't do this as a side project, have a corporate structure with a very solid liability shield and don't do anything to pierce the veil

    - do you want to avoid a 5,6, or 7 digit liability? Do everything you can to appear to be trying in good faith to follow the law and comply with regulations. Do things. Keep records of doing those things.

    - even if you're _not_ required to, look up and follow the regulations, better yet, actually be HIPAA compliant even if it's not required. Many of these things you should be doing anyway even in very different fields.

    - for God's sake get a lawyer and don't ask for advice on the Internet. Pay for the time for someone to sign off on what you do and whether or not you're inside the law

    Reply View 0 replies
  • bhpreece 8 days ago

    I like boldcontacts. It wouldn't have been useful for my daughter, but it would have been useful for my grandmother.

    Reply View 0 replies
  • baobun 7 days ago

    > I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

    Let the data stay client side. Facilitate secure client-to-client communication instead of relying on the gravity well of cloud servers.

    It becomes a lot more light-weight, and if done right the rules and red-tape do too as you reduce your presence in the regulatory scope by verifiably preventing access to user data by yourself (and service providers, their partners, hackers, and three-letter agencies).

    Reply View 0 replies
kamma4434 8 days ago

I woul advise that you get a lawyer for each and every jurisdiction you plan to offer your service in. It’s not that the EU is so happy with the collection of medical data.. and I guess similar but slightly different rules apply everywhere.

Reply View 0 replies
bhpreece 8 days ago

I would appreciate a recommendation. I'm in Minnesota.

Reply View 2 replies
  • brentjanderson 8 days ago

    IANAL either but if I were you, I’d start here: https://www.vanta.com/products/hipaa or look for competitors.

    And perhaps look at Stripe Atlas for getting my corporate ducks in a row to start with. https://stripe.com/atlas

    Wading into that to get oriented, you would then be better equipped to have at least a baseline. A corporate attorney would be the next step to verify what you’re doing.

    Minnestar.org hosts networking events that may be useful for finding people in the intersection of tech, healthcare, and law. Attend and get some face time to find people who may want to help. Lots of corporate centers in Minneapolis (assuming you’re in or near the twin cities), including healthcare. Depending on financial considerations, you may be able to find on ramps to grants, investors, or donors to fund compliance. Not sure on that though, but it’s possible.

    Good luck!

    Reply View 1 reply
jillesvangurp 8 days ago

This is good advice.

Beyond HIPAA and similar regulations, there's the broader challenge that part of the intended audience probably would not want to use it for the same reasons. Any health care professionals that handle information like this are subject to the same rules and would only use tools that comply to minimize liability.

And there's the related problem of those people probably already having a lot of tools that they use and prefer. Another tool adds to their work load.

But I don't want to completely discourage you. If you are serious about turning this into a business, I'd look into how to connect to other tools. Maybe add some IOT integrations to the mix, etc. Most GPs would love a good tool like that. Many of the tools in this space are more than a bit crap. The key to success is understanding who experiences the most pain here and taking that a way (which in this context is also a nice metaphor).

Some feedback:

- who or what is Kate? Not really clear what this name is about.

- what's the business model here? Who pays for what and why? How is that going to evolve.

- get a designer or level up your own design skills. I'm not one but I can see you didn't use one.

- work on your pitch, it raises a lot of questions. Like how you are storing information, what the pricing is, and how you deal with privacy issues, etc. Vaguely hinting at that being important in a hand wavy way doesn't make it better. Taking topics like that serious requires a more structured approach to address those things. This communicates the opposite of what you probably intend here.

Reply View 1 reply
  • salgernon 8 days ago

    > people probably already having a lot of tools that they use and prefer. Another tool adds to their work load.

    Further, a lot of providers are very strict about what tools their organization is allowed to use. In the past I’ve tried to get providers to look at a personal web page where I’d had a medical history and links to imaging data, and they weren’t allowed to access it via policy.

    (I then brought 10 disks of imaging on a thumb drive - but they wouldn’t take that either. So I re-burned them onto physical media, and they were ok with importing that.)

    I do understand why those policies are necessary, and in the end I learned their systems and limitations. It’s actually been an ok experience.

    Reply View 0 replies
roegerle 9 days ago

Are they a covered entity?

Reply View 16 replies
  • nkozyra 9 days ago

    While I agree that they probably aren't, their intended customer base is.

    And even so, nothing precludes people from pursuing civil damages if there's a data breach - this is far more likely with sensitive data coming from a medical provider to a third party.

    And as has been hinted at, the lack of professional presentation is going to hurt a lot, and people will immediately ask "can I trust this platform with any of my information?"

    Reply View 9 replies
    • netdevphoenix 8 days ago

      Probably not even a data breach. A user's friend/relative who is a lawyer or works in health care or know someone who does will see the app and inmediately begin proceedings for a lawsuit. Once it is under the eye of the state, OP will be in big legal trouble. Building apps is cool but any app that uses critical stuff like real world infrastructure or personal data needs careful treading

      Reply View 8 replies
      • skrebbel 8 days ago

        > A user's friend/relative who is a lawyer or works in health care or know someone who does will see the app and inmediately begin proceedings for a lawsuit

        Why? What's in it for them?

        I'm not saying this can't happen, I'm just not sure I understand why you think it's so likely to happen.

        Reply View 7 replies
  • fluidcruft 9 days ago

    > Kate's App is a tool created to support medical caregivers and the people they care for

    Seems like it is intended to be used by covered entities. But it does depend a bit on what "medical caregiver" is intended to mean.

    Reply View 0 replies
  • otterley 9 days ago

    That's not for any of us to determine here. A lawyer can answer that.

    Reply View 3 replies
    • maeil 9 days ago

      [flagged]

      Reply View 1 reply
      • rafram 9 days ago

        This is literally an app that asks for your confidential medical information. My not-a-lawyer interpretation of the law is that it probably is not covered by HIPAA (to be a "business associate" you need to have a direct financial relationship with a covered entity, i.e., a medical provider), but your snark is pretty reductionist.

        Reply View 0 replies
baobun 7 days ago

Then/or refactor out server-side storage. These concerns don't surface in the same way if you never touch the data.

It sounds like a useful app but only if it can be safe. Which I don't belive it can become with a classic web2.x startup approach.

Reply View 1 reply
  • [removed] 7 days ago
    [deleted]
    Reply View 0 replies