Comment by rabidonrails
8 days ago
I think the fear-mongering here has spiraled out of control. This app seems to be a place that patients (and their caregivers read:family) can upload and share data amongst themselves.
While you might not fall directly under HIPAA laws (as I don't think you a covered entity nor a Business Associate) you definitely are aware that you will have PHI and thus you have to protect it - especially if you're saying that it's "Private" and "Secure."
I'd focus on making sure that all data is encrypted in transit and at rest and that all systems on your side are locked down. You and anybody that might have access to your database shouldn't have free access this data. I'd read through some of the HIPAA guidelines especially from the business associate side and conform to those.
Don't be scared by everyone here. Read up on the HIPAA guidelines, check out HITRUST, never take your eye off security. Keep getting better.
If you're worried, you can always consult a lawyer or even an auditor for some advice (I'm neither).
I don't read others' warnings as fear mongering. Rather, they are genuinely offering concrete steps to be taken to avoid problems that frequently arise in this domain.
"Go talk to a lawyer" is not an attempt to scare or some impossible abstract advice. It's a very concrete, and very reasonable step that really ought to be taken early on in this effort.
Maybe everyone here is off base. How might the app developer determine this? By talking to a lawyer.
Maybe fear mongering is overstating but...
Speaking to a lawyer is not the first step when building something in this domain (unless you already have someone bankrolling you).
In this case there's an app that this guy built for families to use. It's obviously in it's infancy. The helpful advice here would be about posting that this is in beta or maybe reading the HIPAA guidelines and ensuring that he's adhering to those guidelines where applicable. Focus on tightening up security. What's his plan to ensure that data in encrypted in transit and at rest? What kind of monitoring will the app have? Does he need to be thinking about intrusion detection? Will he need to enforce 2FA?
Does he need to stop everything and start speaking to lawyers? Probably not.
Talking to a lawyer is not "stopping everything", it's an hour or two of time and maybe a couple hundred dollars. Not nothing, sure, but not something that should be an obstacle for most here.
1 reply →