Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
rabidonrails 8 days ago

I think the fear-mongering here has spiraled out of control. This app seems to be a place that patients (and their caregivers read:family) can upload and share data amongst themselves.

While you might not fall directly under HIPAA laws (as I don't think you a covered entity nor a Business Associate) you definitely are aware that you will have PHI and thus you have to protect it - especially if you're saying that it's "Private" and "Secure."

I'd focus on making sure that all data is encrypted in transit and at rest and that all systems on your side are locked down. You and anybody that might have access to your database shouldn't have free access this data. I'd read through some of the HIPAA guidelines especially from the business associate side and conform to those.

Don't be scared by everyone here. Read up on the HIPAA guidelines, check out HITRUST, never take your eye off security. Keep getting better.

If you're worried, you can always consult a lawyer or even an auditor for some advice (I'm neither).

Bjartr 8 days ago | parent [-]

I don't read others' warnings as fear mongering. Rather, they are genuinely offering concrete steps to be taken to avoid problems that frequently arise in this domain.

"Go talk to a lawyer" is not an attempt to scare or some impossible abstract advice. It's a very concrete, and very reasonable step that really ought to be taken early on in this effort.

Maybe everyone here is off base. How might the app developer determine this? By talking to a lawyer.

rabidonrails 7 days ago | parent [-]

Maybe fear mongering is overstating but...

Speaking to a lawyer is not the first step when building something in this domain (unless you already have someone bankrolling you).

In this case there's an app that this guy built for families to use. It's obviously in it's infancy. The helpful advice here would be about posting that this is in beta or maybe reading the HIPAA guidelines and ensuring that he's adhering to those guidelines where applicable. Focus on tightening up security. What's his plan to ensure that data in encrypted in transit and at rest? What kind of monitoring will the app have? Does he need to be thinking about intrusion detection? Will he need to enforce 2FA?

Does he need to stop everything and start speaking to lawyers? Probably not.

Bjartr 7 days ago | parent [-]

Talking to a lawyer is not "stopping everything", it's an hour or two of time and maybe a couple hundred dollars. Not nothing, sure, but not something that should be an obstacle for most here.

rabidonrails 4 days ago | parent [-]

At the end of the day I don't think we're arguing here and I'm not saying that the OP _shouldn't_ speak to a lawyer but here are a few choice comments from this post that I'll use to prove my point:

First - the TOP comment in this post: >>" I would advise you to temporarily close your site and hire a lawyer straight away."

And other top level comments: >> You should asap bring the app down, contact all users, send them their info, delete them from your servers, notifying them of that and get a lawyer specialising in health related law.

>>If you can’t answer that question you really need to listen to the people telling you to take it down until you can work it out.

>>Speaking as someone who works in IT in healthcare - you need to close your site down immediately, do not pass Go, etc., and hire a lawyer.