top | item 43349994

(no title)

weezin | 11 months ago

HIPAA applies to patient data not providers data.

> I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.

It looks like providers accidentally uploaded some PHI.

IANAL so may be wrong, but I worked for a healthcare company. Whether HIPAA applies to them depends on if they are considered a covered entity or a business associate [0].

IMO they aren't bound to HIPAA requirements as a covered entity.

Business associate is a little tricky to determine. But business associates have to sign a BAA (Business Associate Agreement). And I doubt they would have signed one if they have that in their privacy policy.

Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant..

0: https://www.hhs.gov/hipaa/for-professionals/covered-entities...

discuss

hn_throwaway_99|11 months ago

> Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant.

You seem to imply using GMail is a bad thing? I think GMail, when appropriately configured to handle PHI, is probably a million times more secure than some crappy bespoke "enterprise" app.

weezin|11 months ago

It isn't that hard to setup a secure SFTP server to automate the exchange. But then again this is a post about configuring a S3 Bucket with public access for SSNs.

The issue with Gmail is sending to the wrong email, sending to a broad email list, having people download it to their local machines. And the amount of PHI being transmitted in these files is larger than this s3 bucket.