Comment by jph

Comment by jph 9 days ago

4 replies

View on Hacker News

> Whenever you touch this kind of data, regulatory regimes like HIPAA apply,

My understanding is you're an actual attorney, yes?

Can you shed any light on this area...? My understanding is HIPAA and similar laws aren't applied as a result of a user disclosing their own information for their own purposes. For example, you can freely put your own personal medical information into Google Docs, Apple Notes, Facebook post, X tweet, Excel spreadsheet, etc.

I ask because Kate's App is similar in ways to my app BoldContacts, which is helps people care for their parents and disabled loved ones. I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

https://boldcontacts.org

otterley 9 days ago

I can't provide legal advice here; sorry. But I will say that there is a pretty big difference between hosting arbitrary customer-provided data where the customer can enter either kitchen recipes or medical data at their choosing, and stating that your service is intended to store PHI and attracting such information as a result.

Reply View 0 replies
colechristensen 9 days ago

I'm not a lawyer so I can give a little bit of legal advice, but... yeah get a lawyer.

Anybody who is a healthcare provider, anybody who gets paid to do anything that smells even a little bit like health care shouldn't touch this with a ten foot pole. They shouldn't look at it or touch it or think about it very intensely.

If you don't want to be in violation, don't receive medical information, don't store it, don't advertise that you handle it in any way.

Good advice:

- don't do anything at all that suggests that you will handle anything that even slightly hints it is storing, transmitting, or in any way touching healthcare information without being HIPAA compliant.

- especially don't do this as a side project, have a corporate structure with a very solid liability shield and don't do anything to pierce the veil

- do you want to avoid a 5,6, or 7 digit liability? Do everything you can to appear to be trying in good faith to follow the law and comply with regulations. Do things. Keep records of doing those things.

- even if you're _not_ required to, look up and follow the regulations, better yet, actually be HIPAA compliant even if it's not required. Many of these things you should be doing anyway even in very different fields.

- for God's sake get a lawyer and don't ask for advice on the Internet. Pay for the time for someone to sign off on what you do and whether or not you're inside the law

Reply View 0 replies
bhpreece 8 days ago

I like boldcontacts. It wouldn't have been useful for my daughter, but it would have been useful for my grandmother.

Reply View 0 replies
baobun 7 days ago

> I strongly believe that these kinds of apps need some kinds of privacy protections that are lighter-weight than HIPAA. I haven't yet found a perfect answer.

Let the data stay client side. Facilitate secure client-to-client communication instead of relying on the gravity well of cloud servers.

It becomes a lot more light-weight, and if done right the rules and red-tape do too as you reduce your presence in the regulatory scope by verifiably preventing access to user data by yourself (and service providers, their partners, hackers, and three-letter agencies).

Reply View 0 replies