Comment by Over2Chars
8 days ago
I am not sure that if you choose to freely share your medical information with people of your choice, it's protected or governed by HIPAA or protected PII, per se.
For example, I believe Brooke Shields told the world she had post-partum depression and was prescribed some anti-depressant and felt it helped her.
https://www.webmd.com/depression/postpartum-depression/featu...
That's "medical information" about "a prescription". She could have, instead, shuffled it into some rando app, and shared it with her family. I don't think any HIPAA laws were broken.
Of course, US laws https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must...
The above doesn't describe anything about private parties. If this "Kate" is some rando app developer, they can do whatever they like. Anyone who is willing to trust a random developer with their information can do so afaict.
IANAL and YMMV etc.
As much as folks in the software world believe in complete software development freedom, you can't just build whatever you want and release it. Laws exist that regulate what you can release as much as folks might dislike it. Health apps are just one example.
The problem is that OP literally mentions "medical caregiver" as distinct from "families" which can be interpreted to mean someone that operates as covered entity. That alone puts OP under the risk of being sued and being punished with a very large fine. All a user needs to do is put their data there, share the info with their care assistant who works for a health company. Once that happens, OP is breaking the law.
EDIT: Developer included this in a summary:
"Comments on HIPAA: I'm 99% sure this does not apply, since the site is for patients and their families, and no doctors, clinics, hospitals, or insurance companies are involved. All information comes from the family, and stays in the family."
Insofar as no providers or non-family use this, developer may have a point: my comment's covered-entity reasoning can be disregarded.
---
> Anyone who is willing to trust a random developer with their information can do so afaict.
No, not "anyone" in a multi-party app when "someone" is regulated.
This reasoning (a patient can choose to disclose) doesn't apply here, as the app expects providers to info-share new info, ongoing.
The providers are regulated, they have to keep records, and their sides of their tools have to be covered.
That said, even some U.S. national insurance companies bury a clause in their agreement where, to your point, the patient agrees to sort of declassify their info such that it's (the insurer company's theory goes) no longer considered HIPAA and the insurance company can go bananas with it (e.g., sell it to drug companies).
I had lawyers look into this on behalf of our firm benefits, and we challenged that clause. The national insurance company everyone has heard of instantly gave us a new employee insurance agreement without that clause, which suggests to me they knew it was dicey. (Imagine pinging Google and them dropping a clause from their TOS "just for you". That would only happen if they knew it didn't have legs.)
But, dicey or not, it suggests a path to try if you want to attempt this!
As I said, the description isn't clear about whether the regulation entity is a party to it, or is what is being shared in it (I think the clarification suggests I was right).
You, Brooke Shields, can share your information with your boyfriend, Tom Cruise, about who you see for your anti-depressants: the amount, name of the doctor, dosage. You can even use a random app developed by some Joe Dev installed through f-droid as an APK with data stored in North Korean data centers (does North Korea have data centers?). The world is yours.