undefined | Better HN

0 pointsth3o6a1d11y ago0 comments

As a med student and someone interested in health tech startups, I wanted to ask how you can say you don't store Protected Health Information. Does this mean that you store no identifiers at all? As part of HIPAA compliance training at my school, we are taught that even acknowledging that a person is a patient in a hospital over the phone is a violation of their privacy. I wonder if the same can be said about an app -- just the fact that a person has downloaded and used it is quite revealing. Just curious, because I've spent a lot of time reading about how to set up a HIPAA compliant service.

0 comments

2 comments · 1 top-level

beermann11y ago· 1 in thread

Unfortunately there isn't a lot of guidance here. We store your email address, which doesn't have to be an identifier as it can be anonymous, but we have to have a way to communicate with you. And we do ask for a name, but you can put whatever you want.

As mentioned in another comment, PHI is defined as something that originates from a healthcare provider. Some of the restrictions for what we can say the app does actually come from the FDA. We don't say that we treat specific anxiety disorders (we call it "stress and anxiety"), and we don't ask our users for that type of information. But it really is a bit of a grey area. It's something that we're acutely aware of though and are trying to follow all the guidelines we can find.

fluidcruft11y ago

I agree completely with the medical student's concerns. In particular your app asks for information the way a counselor would. See for example this "Record your thoughts..." image from Google Play https://imgur.com/C5C3A5j. I think there is a very big difference between for example a paper self-help workbook that someone keeps in their own possessions or mental exercises that produce no records and making voice recordings in a networked app that accesses a centralized database stored in the cloud.

Emails are often trivially linked to identity. It doesn't matter that someone could have generated an "anonymous" email address (I've very skeptical that user-provided email addresses would pass muster as de-identified identifiers), if you can use that email to communicate with the person, it's definitely linked to their identity. If they link the email address to their identity elsewhere, the burden is still on you, not the user. You cannot demand that users protect the email address they use to sign up for your service the same way they would protect a social security or medical record number. That's ridiculous.

You should look into obtaining HIPAA/HITECH compliance training perhaps as an unaffiliated learner on https://www.citiprogram.org/ to understand why those of us that work in health care are expressing concern.

j / k navigate · click thread line to collapse

0 comments

2 comments · 1 top-level

beermann11y ago· 1 in thread

fluidcruft11y ago

j / k navigate · click thread line to collapse