Comment by rabidonrails
8 days ago
Maybe fear mongering is overstating but...
Speaking to a lawyer is not the first step when building something in this domain (unless you already have someone bankrolling you).
In this case there's an app that this guy built for families to use. It's obviously in it's infancy. The helpful advice here would be about posting that this is in beta or maybe reading the HIPAA guidelines and ensuring that he's adhering to those guidelines where applicable. Focus on tightening up security. What's his plan to ensure that data in encrypted in transit and at rest? What kind of monitoring will the app have? Does he need to be thinking about intrusion detection? Will he need to enforce 2FA?
Does he need to stop everything and start speaking to lawyers? Probably not.
Talking to a lawyer is not "stopping everything", it's an hour or two of time and maybe a couple hundred dollars. Not nothing, sure, but not something that should be an obstacle for most here.
At the end of the day I don't think we're arguing here and I'm not saying that the OP _shouldn't_ speak to a lawyer but here are a few choice comments from this post that I'll use to prove my point:
First - the TOP comment in this post: >>" I would advise you to temporarily close your site and hire a lawyer straight away."
And other top level comments: >> You should asap bring the app down, contact all users, send them their info, delete them from your servers, notifying them of that and get a lawyer specialising in health related law.
>>If you can’t answer that question you really need to listen to the people telling you to take it down until you can work it out.
>>Speaking as someone who works in IT in healthcare - you need to close your site down immediately, do not pass Go, etc., and hire a lawyer.