
Open-source HIPAA compliance company policies - ryanSrich
http://catalyzeio.github.io/policies
======
Titanous
This is a great idea, but the "non-commercial" clause of the Creative Commons
license makes the documents pretty useless as the only real use would be in a
commercial context.

~~~
markolschesky
Mark from Catalyze. We picked non-commercial as the CC license type simply so
that people wouldn't modify and then resell the documentation itself. From my
understanding, the license allows users to use our docs for your company
policies, but you can not resell the content itself. That would be against the
spirit of what we are trying to accomplish with releasing the documentation.
If you think that the license is prohibiting this, let me know. We want to
make sure that we strike a happy medium of usage/keeping the policies "free".

EDIT: Yeah, it seems like there are some far reaching not-understood legal
implications of the "NC" license. Ok, we're going to re-commit and re-issue
these with the BY-SA. Should be up in a few minutes.

~~~
brechmos
I too would love to be able to use the verbiage as a base for my extremely
small (me) company that does deal with some PHI. I have no desire to sell your
documents but in reading through the license it does appear that I can't use
it. Any chance that you could re-license it so that I/we can use it within a
commercial (small!?) venture?? :-) Please? I am happy to attribute or not
attribute Catalyze. Either way, thanks for releasing these.

~~~
markolschesky
We're going to re-license and release these with CC BY-SA 4.0. Just updated
the github repo. Let us know if you need any help!

~~~
dublinben
You might want to update your language that forbids commercial use.

~~~
markolschesky
Just did. Thank you!

------
Kadrith
[http://hipaacow.org/](http://hipaacow.org/) is another good resource for
anyone in this field. In the top nav select Resources, Documents and then the
subgroup you want information for. Right now the site has Privacy & Security,
EDI and Risk Toolkit.

Disclaimer: I am involved with HIPAA-COW on the Security, Risk and soon the
Technical Security working groups; we release a lot of information to help
people.

------
wwarren
Nice, now we need one of these for CJIS! For those not in the know, the
Criminal Justice Information Systems guidelines are HIPAA for law enforcement.
See more here [http://www.fbi.gov/about-us/cjis/cjis-security-policy-
resour...](http://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-
center/view)

------
dpatriarche
Thank you very much for posting these documents! This will save my small
medical tech startup a huge amount of time and pain.

------
kamikazi
If I'm allowed to override with a tangent: What's the best place to start
reading on HIPAA for non Americans? We're starting up a healthcare services co
(applied YC this batch!!) where we might potentially have to be covered under
HIPAA. But there's also a possibility depending on how we structure our
operations that we can possible avoid it altogether.

I can dive deep into the actual regulations later if we know we have to
comply. Right now I need to kinda figure out the lay of the land. Where other
services like Aptible or Catalyze fit in the ecosystem. Like {X} is the
problem, {Y} is the regulation set and {Z} is the way to comply/resolve it.

~~~
pragone
Well, there's always the option to go read it yourself:
[http://www.gpo.gov/fdsys/pkg/CRPT-104hrpt736/pdf/CRPT-104hrp...](http://www.gpo.gov/fdsys/pkg/CRPT-104hrpt736/pdf/CRPT-104hrpt736.pdf)

HIPAA is a very large, encompassing bill that provides numerous protections
for patients. In particular, it provides the necessary legal requirements
preventing healthcare providers from disclosing personally identifiable
information - typically, things like SSN, name + date of birth, name +
zipcode, etc. Anything that could possibly be used by someone to identify who
the patient is should not be discloses. HIPAA also lists some technology
requirements, but if memory serves me correctly, it only goes so far as to say
"industry-standard practices". There's also numerous parts of HIPAA that
pertain to billing and insurance, but I don't do billing so I can't speak too
much on those.

Another bill to check out would be HITECH.

~~~
kamikazi
Well yes I can go read the act but at this early stage don't have that much
time to spend on legalese without first understanding the contours. I'm
looking for simpler explanations, case studies, blogposts of individuals/ or
companies; some of which your rest of the comment provides. So thanks for
that.

Would you mind sharing your email (mine is in my profile) in case I wanna
bounce off a few Qns? I promise to keep it short. TIA.

~~~
jplewicke
I found this book helpful: The HIPAA Roadmap for Business Associates (
[http://www.amazon.com/gp/product/1484067010/ref=oh_aui_searc...](http://www.amazon.com/gp/product/1484067010/ref=oh_aui_search_detailpage?ie=UTF8&psc=1)
). It goes through some of the basics of HIPAA, what kinds of policies you
need to have and why, and includes some example policy templates similar to
the ones being graciously provided in this article.

------
nulagrithom
Thanks for this. We have a company under us that deals with HIPAA, and we've
been struggling to come up with policies (or even where to begin) as the
medical field is nowhere near our main focus.

------
tzm
Seriously, thanks for doing this.

------
lukedubber
This is great! I passed it along to our managers, I work in community heath
center.

------
evdevdev
This is awesome! Now, if there were one for NPI and the CFPB...

------
niels_olson
Thank you _so_ much!

