Hacker News new | past | comments | ask | show | jobs | submit login

It's not fully accurate, but it's accurate enough for lay people. I founded a HealthTech company. I'm very familiar with the rules.

The key here is in the definition of a covered entity: https://www.hhs.gov/hipaa/for-professionals/covered-entities...

> [list of providers] ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

In grossly simple terms, that means if insurance/medicare/medicaid is not involved, it's not a "transaction for which HHS has adopted a standard"




Ah, I understand. Thank you. That explains the existence of several troubling loopholes I've seen.


Yep. We actually got multiple legal opinions on this. I was coming in from outside healthcare and absolutely baffled how little HIPAA applies to.


My wife is a nurse, and she once made a comment that alluded to this. She said that where HIPAA applies, it applies very strongly. That's why hospital staff, for instance, are always extremely careful about not violating HIPAA. But, she said, it doesn't apply everywhere. Her example was with drug and medical appliance companies who use patient data for marketing purposes.


Yep, if you’re a covered entity, you want to make sure you get things eighth. Punishments for being wrong can be very severe.

Many organizations will use an abundance of caution and treat far more than necessary as HIPAA-controlled simply because it’s less risky.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: