| So, I am also not a lawyer, and also not giving you legal advice. I do have some legal background and some HIPAA background. This tool would fall under HIPAA compliance. In that, it doesn't matter if you know who has access to the data. The only thing that matters is that the holder of the data knows who has access to the data and whether those with access have proper training, metrics, and monitoring for the data. There are a lot of If's in this area. If the data is anonymized, then there are a number of requirements that disappear. If the data is not anonymized, then it must be kept for a certain period of time. If the data is saved, it must be encrypted on ingress, egress, and at rest according to the HIPAA plan of the provider. If... if... if... There are a lot of considerations here. However, you don't actually get to know any of those things. The only part you get to know is whether they say "We are HIPAA Compliant". And if they say that and you disagree, you can make a complaint with the US Department of Health and Human Services. Don't expect to get very many answers. |