Comment by netdevphoenix
8 days ago
This is a lovely idea. Very HN like in the good sense.
Sadly, it is also vert HN like in the not so good sense. Unlike the software world, the real world is not ours to program as we see fit. In the real world, laws matter. And I am concerned that you haven't really read upon the consequences of doing an app like yours without any due diligence. You can't just use people's health data like that.
Anyone using this app could potentially sue you as you are likely breaking the law of the country you live in (I am going to guess it is an Anglo-Saxon country).
You should asap bring the app down, contact all users, send them their info, delete them from your servers, notifying them of that and get a lawyer specialising in health related law. With their assistance, you can build an organisation to build the app. This should also limit your liability.
I am not sure that if you choose to freely share your medical information with people of your choice, it's protected or governed by HIPAA or protected PII, per se.
For example, I believe Brooke Shields told the world she had post-partum depression and was prescribed some anti-depressant and felt it helped her.
https://www.webmd.com/depression/postpartum-depression/featu...
That's "medical information" about "a prescription". She could have, instead, shuffled it into some rando app, and shared it with her family. I don't think any HIPAA laws were broken.
Of course, US laws https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must...
The above doesn't describe anything about private parties. If this "Kate" is some rando app developer, they can do whatever they like. Anyone who is willing to trust a random developer with their information can do so afaict.
IANAL and YMMV etc.
As much as folks in the software world believe in complete software development freedom, you can't just build whatever you want and release it. Laws exist that regulate what you can release as much as folks might dislike it. Health apps are just one example.
The problem is that OP literally mentions "medical caregiver" as distinct from "families" which can be interpreted to mean someone that operates as covered entity. That alone puts OP under the risk of being sued and being punished with a very large fine. All a user needs to do is put their data there, share the info with their care assistant who works for a health company. Once that happens, OP is breaking the law.
EDIT: Developer included this in a summary:
"Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family."
Insofar as no providers or non-family use this, developer may have a point: my comment's covered-entity reasoning can be disregarded.
---
> Anyone who is willing to trust a random developer with their information can do so afaict.
No, not "anyone" in a multi-party app when "someone" is regulated.
This reasoning (a patient can choose to disclose) doesn't apply here, as the app expects providers to info-share new info, ongoing.
The providers are regulated, they have to keep records, and their sides of their tools have to be covered.
That said, even some U.S. national insurance companies bury a clause in their agreement where, to your point, the patient agrees to sort of declassify their info such that it's (the insurer company's theory goes) no longer considered HIPAA and the insurance company can go bananas with it (e.g., sell it to drug companies).
I had lawyers look into this on behalf of our firm benefits, and we challenged that clause. The national insurance company everyone has heard of instantly gave us a new employee insurance agreement without that clause, which suggests to me they knew it was dicey. (Imagine pinging Google and them dropping a clause from their TOS "just for you". That would only happen if they knew it didn't have legs.)
But, dicey or not, it suggests a path to try if you want to attempt this!
As I said, the description isn't clear about whether the regulation entity is a party to it, or is what is being shared in it (I think the clarification suggests I was right).
You, Brooke Shields, can share your information with your boyfriend, Tom Cruise, about who you see for your anti-depressants: the amount, name of the doctor, dosage. You can even use a random app developed by some Joe Dev installed through f-droid as an APK with data stored in North Korean data centers (does North Korea have data centers?). The world is yours.