> I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
As someone who worked extensively on HIPAA covered data and systems, there are only three options here.
Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).
Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.
Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.
Of these options, I'll take (3) every time.
If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...
HIPAA (and PCI compliance) has done little to prevent 1) in practice, especially when balanced against the huge costs it has on industry and the 'hidden' cost of crippled innovation.
You can't measure the true cost of hundreds of thousands of projects and startups that were never realized because HIPAA scared them away...and this is stuff that would have saved billions in healthcare costs, improved the public's health, and supported research/processes that could save lives.
Saying it's only a dynamic between "profit vs security" completely downplays the utility of technical progress in health care. This isn't just about quarterly profits of large mega-corporations.
As someone who started off working in the health space I can assure you I personally gave up on multiple potential projects because of HIPAA. And know of countless others who have to in spaces that seem "crazy" no one has yet built software for.
And I say this as a complete paranoid hawk on information security and privacy rights...
I hear you that it makes things more difficult, but I think it's hard to overstate how terrible & uninterested conservative revenue stream businesses (e.g. insurance, utilities) are at keeping up with IT trends.
Based on what I saw in a couple of the top 5 largest insurance companies, these are IT departments that would be storing personal data in databases open to every employee of the organization, were there not a law discouraging them doing so.
Why?
Because IT isn't their business. That perspective is changing (gradually), but the resistance to anything aside from business as usual is staggering.
Sure, but the other side of the equation is an unknowable number of thousands of lost lives and billions of dollars, because of medical advances that were never made.
There are other important values than privacy in the world!
As a consumer, my view is: if a potential idea is abandoned out of fear of HIPAA then HIPPA is working and I am thankful that that idea went nowhere. Soon, s/HIPPA/GDPR
This. I am not a hipaa expert or anything, but if a company is not making an effort to protect the data, they dont deserve to make money off of products touching that data.
As someone who worked extensively on HIPAA covered data and systems, there are only three options here.
Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).
Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.
Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.
Of these options, I'll take (3) every time.
If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...