HIPAA applies to patient data not providers data.

> I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.

It looks like providers accidentally uploaded some PHI.

IANAL so may be wrong, but I worked for a healthcare company. Whether HIPAA applies to them depends on if they are considered a covered entity or a business associate [0].

IMO they aren't bound to HIPAA requirements as a covered entity.

Business associate is a little tricky to determine. But business associates have to sign a BAA (Business Associate Agreement). And I doubt they would have signed one if they have that in their privacy policy.

Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant..

0: https://www.hhs.gov/hipaa/for-professionals/covered-entities...

> Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant.

You seem to imply using GMail is a bad thing? I think GMail, when appropriately configured to handle PHI, is probably a million times more secure than some crappy bespoke "enterprise" app.

It isn't that hard to setup a secure SFTP server to automate the exchange. But then again this is a post about configuring a S3 Bucket with public access for SSNs.

The issue with Gmail is sending to the wrong email, sending to a broad email list, having people download it to their local machines. And the amount of PHI being transmitted in these files is larger than this s3 bucket.

>It isn't that hard to setup a secure SFTP server to automate the exchange

When you've got a trickle of information coming and going from hundreds or thousands of other individuals working at tens or hundreds of other entities it is.

You'd eventually wind up developing the kind of ridiculous "secure messaging and file drop" type service that every megabank builds on top of their SFTP and ticketing systems for that purpose. That stuff ain't cheap to run and keep running.

Better to just start with a solution that's 99% there.

HIPAA only applies to a very specific entity called a "covered entity". At a high level, "covered entities" are health care providers that accept insurance or insurers. That's right, there's a massive caveat on "accepts insurance". You can be a healthcare provider and do not have to comply with HIPAA if you don't accept insurance.

That being said, HIPAA isn't even relevant here because "ESHYFT" is just a provider a labor. No different than a big consultant providing staff augmentation services.

> At a high level, "covered entities" are health care providers that accept insurance or insurers. That's right, there's a massive caveat on "accepts insurance". You can be a healthcare provider and do not have to comply with HIPAA if you don't accept insurance.

Again, HIPAA continues to be the most colloquially misunderstood law out there.

The rule that makes providers "covered entities" isn't really about insurance, it's about whether they transmit specific HIPAA "transactions" electronically. Now, yes, most of these transactions having to do with providers are thing like claim submissions or pre-authorizations to insurance. But there are other reasons a provider may need/want to send a HIPAA transaction electronically.

My point is that there isn't some sort of "loophole" where providers that don't accept insurance are somehow being sneaky. The whole point of the HIPAA security rule is to protect PHI when it is transferred around to different entities in the healthcare system. If the information is going just between you and your doctor, HIPAA isn't relevant, and that is by design.

> it's about whether they transmit specific HIPAA "transactions" electronically.

That's correct, but if you don't accept insurance then you will not transmit anything that meets the criteria to be covered by HIPAA. At least, in terms of being a provider. Things are different if you're a health plan or clearing house.

I spent a lot of time and money questioning this with lawyers at a health tech startup I previously worked at. The underlying reality is nearly the entire US healthcare system falls under HIPAA because nearly everyone wants to accept insurance. However, if you're a doctor running a cash-only business you will not be a covered entity, even if you send PHI electronically.

HIPAA doesn't care about your POS TOS. It either applies or does not.

That said, it's both less broad and more toothless than I'd like. If FB convinces you to install a tracking pixel (like button) stealing your private medical data, they likely haven't violated any laws. At most you'd be able to file a claim against the person who created the leak.

Not a lawyer and all that, but for TFA I don't think HIPAA would be a valid way to try to limit your losses. It's a bit closer to what would happen if you (a doctor) uploaded patient data to Google Drive and then somehow leaked that information (one of Google's contractors disclosing it, a hack, whatever). Nothing about ESHYFT's offerings requires or would be benefited by the data HIPAA protects, and (ignoring incompetence and other factors) I'd be as surprised to see my health data leaked there as I would to see a YT video going over my last lab reports because of some hospital's actions.

They could still be liable for all sorts of other damages (and maybe somebody can convince a court of a HIPAA violation), but it's not an easy HIPAA win.

If you're not a direct health provider, you probably can. Don't take that as an endorsement.

If you partner with a healthcare provider to provide any sort of technical services, you will be required to sign a BAA (Business Associates Agreement), which makes you similarly liable to the HIPAA & HITECH acts.

It depends there are some exceptions.[0]

>With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

Based on the context from the article of the PHI uploaded being incidental, it would probably fall under this exception. It sounds like ESHYFT isn't meant to be storing any PHI based on the privacy policy above.

0:https://www.hhs.gov/hipaa/for-professionals/privacy/guidance...

[Nevermind]

The PII of the nurses being accidentally shared by a staffing agency isn't a HIPAA violation. Yes the nurses are providers but their relationship with the Uber for nurses service isn't a medical provider relationship. It's definitely a legal and ethical failing but I don't think it's a HIPAA one.

This is what I took away from the reading. It's basically a shift/employee management platform. The only reason we're even discussing HIPAA is because health care industry adjacent.

If you replaced nurses with gig workers and uber for nurses with something like WeWork this would just be like every other leak we talk about on HN.

Ah, doing more than skimming the article

>I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.

The title is exaggerating what the article says and the article is making a big stretch about this being possibly HIPAA covered, I stand corrected, this has nothing to do with HIPAA.

What was leaked was nurses' doctors notes submitted justifying calling out of work. Still a serious leak but nowhere near what is being suggested.

HIPAA avoidance is much narrower than that. Entities which perform administrative or managerial duties on behalf of a mandated organization that have to transmit PII to provide that service are also covered, even if the entity itself isn't a provider.

If 'Uber for nurses' is acting on behalf of nurses, it probably doesn't apply? If it's acting on behalf of the hospitals (who are indisputably covered entities), then the situation is much less clear.

I encountered a similar situation with my startup many years ago and decided "better safe than sorry" after consulting the lawyer.

I used to work in the field. HIPAA protects patient data, not provider data. If my understanding is correct that only nurse PII was leaked, this has nothing to do with HIPAA.

In general, I've found that people tend to think HIPAA applies much, much more than it actually does. Like people thinking if you're in a meeting at work with clients and say "Sorry, Bob couldn't be here today, he's got the flu" that that's a HIPAA violation. No, it's not.

This is just an employee data leak, just like a bajillion other employee data leaks. The fact that the employees happen to be nurses still doesn't mean it has anything to do with HIPAA.

ESHYFT isn't a covered entity, so HIPAA doesn't apply to them. Even if they have health data of their employees in their system, they're still not a covered entity.

Really, "Uber for Nurses" is a title to drum up interest. "Large Staffing Service" would be factually accurate.

This 100%. This needs to be a top level comment.

I'm confused because the article lays it out by the 4th paragraph, and you have the right understanding, up until "we're a startup"

Maybe you think the startup maintains patient records?

The article lays out the nurses uploaded them, the provider. This is a temp booking system. The health records were uploaded by the nurses to communicate reasons for absences to their employee and weren't required or requested

They have as much responsibility as Dropbox does. Nurses shouldn't have uploaded them.