HackerTrans
TopNewTrendsCommentsPastAskShowJobs

chasb

no profile record

Submissions

HIPAA 101 for Software Development Teams

aptible.com
251 points·by chasb·10 ปีที่แล้ว·36 comments

comments

chasb
·10 ปีที่แล้ว·discuss
Focusing on the data help clarify this. This is a negligently simple explanation, but: HIPAA regulates identifiable patient data that touches a US-regulated insurance transaction somewhere in its lifecycle.

If you're in the US, but working with only international healthcare providers and international patients, HIPAA is less likely to apply. You may have other privacy laws and regulations to deal with, however, especially in Europe.
chasb
·10 ปีที่แล้ว·discuss
1. Training

2. Training

3. Training

4. Anti-virus. We use Sophos, but anything that updates itself and stays out of the way is fine to start out.
chasb
·10 ปีที่แล้ว·discuss
Exactly, there is no official registration or certification for HIPAA. It's more that HHS will take an interest if you come to their attention and appear to be creating/receiving/transmitting/maintaining regulated patient data.

There are a few ways to come to HHS's formal attention:

1) A complaint; 2) Via another enforcement action, usually against one of your business partners; or 3) An audit

Phase 2 of the HIPAA audit program is starting this year. The first step is a questionnaire that asks you to confirm if you are a business associate. HHS is also asking that each entity they contact provide a list of their business associates.

All of the above is true even if you are based internationally. Most of the Phase 2 audits are desk audits, meaning HHS will ask auditees to submit documents and other data. I'm not sure how an onsite audit would work for an international entity.
chasb
·10 ปีที่แล้ว·discuss
We have several non-US customers. What do you mean by "channels you need to go through"?

Generally, if you can meet the requirements, you can handle patient data for US customers. HIPAA doesn't have any sovereignty requirements (geographic restrictions on where the data are stored/transmitted), although it's fairly common to see them introduced in contracts or BAAs.