Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
john_strinlai 2 days ago

>Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data?

because lots of people dont know what HIPPA is, and (naively to us more familiar with tech) assume that a medical-related app on a curated app store would be safe for medical-related stuff.

ceejayoz 2 days ago | parent [-]

> lots of people dont know what HIPPA is

Ironically, it's HIPAA.

You're right, though; it's much more limited than people think. During COVID people claimed everything violated HIPAA (masks, vaccine requirements, testing), but it only applies in a very narrow subset of patient/provider relationships.

FireBeyond 2 days ago | parent [-]

Very much so. Also ironically, as a healthcare provider (paramedic), HIPAA expressly allows me to get your healthcare information without your consent (as needed for your care). A lot of facilities have you sign paperwork to explicitly authorize sharing, but that's really just a CYA.

"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."

Source: https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...

haldujai 2 days ago | parent | next [-]

The bigger gap is for healthcare and business operations which is very broad and includes datasets for AI training as one example.

ceejayoz 2 days ago | parent | prev [-]

That seems entirely unironic and reasonable, though?

FireBeyond 2 days ago | parent [-]

100% reasonable (and often necessary - pill shopping, psychiatric concerns, etc. And not irony in the Act itself, more people's perception of its intent.

pseudalopex 2 days ago | parent [-]

It is not reasonable to disregard patients' consent so generally. Specific purposes could have specific exceptions.

FireBeyond 2 days ago | parent [-]

I think the key is in the course of treatment.

I agree that it's not and never should be a free-for-all with PHI just "because you can".

But if I, as an EMS provider, are treating someone for, say, an overdose, it is rather germane to my treatment of you that you have a history of suicidal ideation or attempts, even if you'd rather I wasn't able to gather that information from another provider's records (because you'd "rather not" be subject to a mandated hold/evaluation if it appears that your overdose was intentional).

I don't need to know, and don't care, if you're transitioning and I'm seeing you for a seizure, for example, it's not relevant. If you're unconscious and I need to see if I can see history or diagnoses or etc., as I'm determining the risk of an intervention to perform on you, then, I may discover that detail, again, in the course of your treatment.

It's not a blanket "I don't care whether you consent or not, I'm pulling your records from the EHR. Sucks to be you."