

HIPAA’s New Rules Reach Far Beyond Healthcare Providers - sfvaronis
http://blog.varonis.com/hipaas-new-rules-reach-far-beyond-healthcare-providers-are-you-impacted/
...but a new class of consultants and subcontractors who perform work on behalf of the business associates also have HIPAA obligations.
======
specialist
This rule clarification is good in that it acknowledges the participation of
third parties. Yay!

But it doesn't change the fact that HIPAA is just kabuki (for show).

I worked on some of the first RHIOs (regional health information exchanges) on
the market. We all had yearly HIPAA training. All platitudes and very little
actionable advice. As devs, we all had full access to millions of patients.

Accidental disclosure is inevitable. So many participants, so many systems,
the weakest link and all that. We all figured it was a matter of time before
something bad happened.

I care about privacy. A lot. I researched what's what, legal and technical.
Because I want to do a good job. And I have skin in the game (my own medical
history).

The month I started on the electronic medical records project, a local
hospital had just settled for allowing 100,000s of complete patient records
leak. (A stolen laptop.) So I contacted the lawyers on both sides. Verdict?
Try harder next time.

Pretty much nothing has changed (improved) since. Except the disclosure
requirements, I guess.

This is a long topic, so I'll just skip to the conclusion:

We will not, cannot protect patient privacy until we assign a universal unique
identifier for every single person. This means something something akin to
RealID.

To protect patient privacy, we need to encrypt the data. But that's not
feasible without globally unique identifiers. Because patient demographic data
is dirty and mismatched record can be fatal. So you have matching algorithms
that have to look at the original plaintext. And the heuristics are wrong
enough that the process requires human oversight.

If we (the USA) had unique identifiers, then we could transition to
translucent database designs. That'd be very cool.

[http://www.amazon.com/Translucent-Databases-Peter-
Wayner/dp/...](http://www.amazon.com/Translucent-Databases-Peter-
Wayner/dp/0967584418)

About once a year, I go to a "future of healthcare IT" event. I desperately
want to hear that patient privacy is being addressed. Hope springs eternal.
Mostly, no one knows what I'm talking about. Until you've worked on the
systems and tried to actually implement privacy safeguards, people just don't
grok the problem domain, and continue to believe it's a trivially solvable
problem.

~~~
newman314
There is no dependency of having unique identifiers in order to be able to
encrypt data.

A patient could have multiple identifiers that's only known to him/her.

Think a model like 1Password.

~~~
specialist
Not for encryption, for data interchange.

------
dylanz
It would have been better to link to the actual article, which contains the
actual changes:
[http://www.lexology.com/library/detail.aspx?g=40defc09-2337-...](http://www.lexology.com/library/detail.aspx?g=40defc09-2337-435e-be56-2bef662a67e7)

This blog post seems like spam.

~~~
GFischer
The original article is very dense... as someone who's marginally interested
in HIPAA (as in, does it affect my future app), the blog summary helped me
determine the new reach.

Surely a better post can be made, with a more comprehensive summary, but the
current blog post is not without value.

------
darkspaten
Although not expressly in the linked content, I believe the change apropos
beyond healthcare providers is the change for cloud providers (SaaS, storage,
etc.) Now, companies which store Protected Health Information (PHI) in the
cloud are considered business associates of the healthcare provider. In turn,
the companies are now regulated entities & will be required to meet the
security & privacy standards of patient data. No longer is a storage provider
considered an unassociated 'conduit.' This is a significant change for
healthcare providers and all their (remote) technology partners. Ideally, this
will create the regulatory impetus sufficient to prevent your healthcare
providers from transitioning over to relatively insecure services such as
Gmail for sensitive patient data.

------
dsgibson2
Seems absurd that if everything is digital now, we still have to fill out
paper forms every time we visit a new doctor’s office, and it's difficult to
get a digital copy of results. Inconsistent protection without much added
convenience.

~~~
rsobers
I have a similar feeling towards financial institutions. When you apply for a
mortgage, you have to send your entire financial history, by mail (or perhaps
worse, by _email_ ), to an underwriter. There's no indication as to what
happens to all that sensitive stuff afterwards. It's a complete black box.

I think there's a huge opportunity for some sort of app that gives the
customer/patient visibility of their data during its entire lifecycle and
gives them controls to revoke access, delete data, etc. (Kinda like I can
revoke an OAuth token.)

~~~
jtheory
That's what we're doing at PatientsKnowBest.com -- patient-centered medical
records where the patient can decide who can see their records, and revoke
access if they want. No one can revoke the patient's access.

Putting the patient at the helm has a few wonderful effects -- among them: all
of the red tape around transferring patient medical records from one
doctor/institution to another pretty much disappears. They're all about making
sure the patient's private data doesn't go to someone the patient wouldn't
want to see it. The only reason they need all of those laws is because the
patient isn't even in the loop, normally.

We have the core webapp UI; we also have a REST/JSON API for letting apps (and
third parties) work with the patient's data (if given permission, of course).

It's a really interesting space to be in. (I'm sure reading the about raises
lots of "but what about when" questions; we have answers ...mostly!)

Edit: I should have said: that's what we're doing w/ medical records (not with
financial data)

~~~
eric-hu
You guys are providing a service I'm interested in. I checked out your website
and, as an interested (American) patient, I could be further convinced if a
couple of questions were answered:

1\. Which doctors and insurance plans does PatientsKnowBest work with?

2\. Where is my data stored? What happens if I decide to stop using PKB?

I should add that I didn't want to spend the time to watch the 20 second
videos, but perhaps I'm not the kind of customer you're trying to capture at
the moment

------
allsystemsgo
IT auditor here. This article does not tell me what I need to know. :-(

------
ScottWhigham
Blog spam - no "meat" here

~~~
rsobers
If you're even peripherally related to IT security, this is a pretty big deal.
HIPAA and HITECH have an enormous impact on how businesses work. With the
expansion of the security rule, some SaaS startups are going to have to _at
least_ pay attention, because they might be on the hook now.

~~~
adrianm
You're definitely correct.

However, I think the parent was commenting about the quality of this specific
article, not on the meritless basis of a discussion about HIPAA.

This post doesn't do a very good job at all at explaining what's going on. I'm
still not entirely sure what the new rules actually are after reading it.

~~~
rsobers
Ah, I see your point. I think the article was trying to distill the changes
down to one key fact: the security rule now applies to anyone who interacts
with health care organizations, even if you're a few degrees removed as a
contractor.

