Hacker News new | past | comments | ask | show | jobs | submit login

What does "HIPAA-eligible" mean?

EDIT:

I was very curious about this and did a bit of research. The answer to it is squishy. It seems to be mostly a marketing term. The best definition I found was this:

"A service that is HIPAA eligible is one that is capable of being configured in a way that could meet HIPAA compliance requirements, but you have to know how to do it, it doesn’t happen ‘out of the box.’"

https://www.cleardata.com/articles/hipaa-eligible-hipaa-comp...

So it sounds great but doesn't actually mean that much.




"HIPAA-eligible" means they have no idea what they're doing in healthcare.

The second you said that in a pitch to executive leadership, they'd realize you have no idea how to operate in healthcare.


What that really means is:

* they may be HIPAA-compliant (ie: they fulfill the requirements), * they haven't gone through a HIPAA-certification (no third-party cert), * they aren't using services that aren't HIPAA-certifiable

The latter point is important, because there are some services (ie: firebase) that apparently won't be HIPAA compliant. Some services are HIPAA-compliant if configured correctly. AWS has a list. I believe google does too.

There are a bunch of HIPAA guides out there.

So as a demo, it's not a big deal. But if they start selling this they need at least to be HIPAA-compliant with certification on the roadmap.


HIPAA is a self certification. You can claim compliance simply by following the rules. Therefore, you’re either HIPAA compliant or your not. I have never heard anyone describe it as being HIPAA-eligible.

HITRUST is a third party audit with higher standards than HIPAA. That is not a self-attestation.

I’ve spent a bunch of time in this space. Most of the major players offer HIPAA compliant services and sign BAAs. As of now, I don’t believe OpenAI offers a BAA, so this is dead in the water.


Well, HIPAA can be self-certified, but that probably won't stand up in court so most organizations will pay a third-party provider to perform the certification for them. That also lets you see the gaps, because HIPAA is big.

Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific:

https://aws.amazon.com/compliance/hipaa-eligible-services-re...

Here's google's:

https://cloud.google.com/security/compliance/hipaa-complianc...

In general it means that the service may not be HIPAA compliant by default, but can be configured to be HIPAA compliant.

HITRUST is something else and it outside the scope of this discussion IMO. Not sure why you brought that up.


> Well, HIPAA can be self-certified, but that probably won't stand up in court

The is no certification requirement, so there is nothing to ”stand up in court”. Straight from the horse's mouth:

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance.

https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-...


Hi everyone! We’re of course well aware of the importance of HIPAA for all organizations operating in the US. To clear up any confusion: HIPAA-eligible means in our case that we’re ready to sign BAAs.


lmao literally a weasel word




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: