undefined | Better HN

0 pointsnewsopt7y ago0 comments

>"But HIPAA" has never, in my experience, been employed except by people who find the idea of doing the right thing inconvenient or inconveniently expensive. (It is virtually never that hard and its benefits are clear.)

Thank you for directly attacking my character without even addressing my actual argument.

I'm not arguing against HIPAA, I'm arguing against such regulations in spaces that don't require that kind of sensitivity. I think that medical data absolutely requires the protections it has. But it absolutely has had the unintended consequence of making current medical data more insecure and stifling innovation in the space. Most doctors don't even follow HIPAA compliance sending patient medical records over email.

I would estimate that 40% of doctors today are not compliant with HIPAA, sending X-rays and other similar patient information over email with providers that they haven't signed BAAs with.

>There are reasons for not modernizing tech stacks in the medical space. HIPAA is, in every case I've ever observed, not a meaningful one.

Then please enlighten us. Up until a few years ago (maybe even just a year) you couldn't use AWS to host medical data. Today you can't use Google Cloud to host medical data unless you are a large enough business to be able to get into contact with one of their sales reps. Can you even sign a business associate agreement with digital ocean? So up until a year ago you could not even have a small healthcare startup hosted on the cloud. Please explain to me how this hasn't stifled medical software innovation.

If it isn't HIPAA it's some other outdated regulation.

https://slate.com/technology/2018/06/why-doctors-offices-sti...

0 comments

eropple7y ago

> Thank you for directly attacking my character without even addressing my actual argument.

"But it's hard, for no actual reason I will define" is not a meaningful argument. So--when one hears hoofbeats, think horses, not zebras.

> I would estimate that 40% of doctors today are not compliant with HIPAA, sending X-rays and other similar patient information over email with providers that they haven't signed BAAs with.

Probably true! But that's their own damned fault. Medical has Artesys and similar, dental has Apteryx and similar. This problem is largely solved but for hands-on unwillingness to use them.

Those providers should be nailed to the wall, the wall should not be torn down for them.

> Up until a few years ago (maybe even just a year) you couldn't use AWS to host medical data.

AWS has been signing BAAs since at least...2013? I believe the first time I looked into it was 2014. But, regardless--if your innovation was so tremendously stifled by this, I'm not particularly sympathetic. I've been running my own services and writing them too for at least a decade and you can do thou likewise, I promise. I am, however, saying that today it's very easy to do so 'cause Amazon is all-too-happy to sign one.

Also, I haven't had to use GCP for HIPAA-covered entities--found their BAA pretty easily though!--but even assuming you're correct the idea that you have to, hiss, talk to somebody before getting them to take some legal responsibility for your held PHI, I don't find that to be a particularly nasty requirement. I still find it odd that AWS will just let you sign right through with AWS Artifact.

Azure's all-too-happy to sign one, too. Not that I'd recommend it.

j / k navigate · click thread line to collapse