[david_l_lin]

Thank you for participating! Co-founder and CSO here. Thanks for the feedback regarding the website, we're in the process of updating the page to improve its layout.

We absolutely will not be selling your microbiome data without your consent, and it's something the team and I are quite adamant about. We also will NOT be selling or using any of your personal genetic data without consent. Any analysis and discovery will be on completely de-identified data, and will go toward our goal of improving health care.

Thank you for supporting us, and we hope that the insights we provide in the early access may be valuable to you!

[greyface-]

> We absolutely will not be selling your microbiome data without your consent, and it's something the team and I are quite adamant about.

Are we relying on your word on this? I have had startups change their mind on me on these sorts of things in the past. I would want some sort of assurance that my data remains private even if you change your mind and wish to make it non-private.

[rapjr9]

What happens if the company goes bankrupt and someone else buys the IP including the data? Can they do whatever they want with the data? Without some enforceable legal restrictions here the data seems to be at risk.

[dannygrannick]

We follow all HIPAA requirements and de-identify our data accordingly. That said, as a company we are committed to patient privacy and I’m interested in hearing about the experiences you’ve had in the past with companies changing their minds. If you’re open to it, email us at info@bristlehealth.com and I’ll follow up with you to discuss!

[dannygrannick]

Regarding the "about" page - our website is brand new and we're building out more information to coincide with announcements over the coming weeks. One of those is around our advisory board and another is relevant to your comment on clinical trials. Our team has backgrounds in genomics on both the research and commercial side! I worked at Illumina and ONT myself - other co-founders come from companies including Genentech, Twist, etc.

[29athrowaway]

Is customer data protected by HIPAA?

[dannygrannick]

Yes! We are 100% HIPAA compliant

[astura]

You didn't answer the question asked, you answered a different question.

The question that was asked was if the customer data you collect is "protected by HIPAA," not if you choose to be "HIPAA compliment."

In other words - does the law (HIPAA) require you to handle customer data a certain way? Are you a "covered entity" under HIPAA?

I don't know much about your business, but I'm going to presume you are NOT a covered entry and HIPAA does NOT apply. I'm going to presume that because HIPAA is not a generic medical privacy law (even though people think it is), it applies to only "covered entities," which are - "Health Care Providers[1]", "Health Plans", and "Health Care Clearinghouses." You don't appear to be any of those, nobody claims to be providing any medical services, and you even provide a disclaimer that you are not providing medical services. - aka "just for funsies."

A useful rule of thumb is the "I" in HIPAA stands for insurance - if insurance is NOT involved HIPAA probably doesn't apply.

So I think your statement "Yes, we are 100% HIPAA compliment" was intentionally misleading.

[1] but only if they transmit information electronically in connection with a transaction for which HHS has adopted a standard

[dannygrannick]

Hi Astura, apologies for the delay. To answer your question: no, we are not a covered entity - but we still maintain HIPAA compliant protocols with your data:

We follow all HIPAA compliant protocols in handling your data. We have additionally taken a number of security precautions beyond HIPAA compliance that mitigate the possibility of a data breach.

I appreciate you bringing this up as it is an important distinction and a good opportunity to clarify. We are not a covered entity under HIPAA as we are not (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider. The laws surrounding HIPAA were enacted before genomics and consumer health became prevalent. This means that most of the companies in our space (23&me, Ancestry, Everlywell, etc.) are also not covered entities but are working with PHI (protected health information).

Covered entities are required to be HIPAA compliant to maintain the integrity of your PHI, and you can read more about those requirements here: https://www.atlantic.net/hipaa-compliant-hosting/hipaa-compl...

While Bristle is not a covered entity, we can be HIPAA compliant by enforcing the same guidelines around your PHI as are used for covered entities. This is an optional, but in our opinion critical and non-negotiable, component of our infrastructure to maintain user privacy.

[29athrowaway]

> While Bristle is not a covered entity, we can be HIPAA compliant by enforcing the same guidelines around your PHI as are used for covered entities.

People respect HIPAA because sanctions for a HIPAA violation are very severe. In your case, if you have a violation, what would happen?

[astura]

Absolutely positively nothing, their so-called "compliance" is strictly voluntary. That's why I'm calling them out on claiming that they are "HIPAA compliant."

If they were upfront I wouldn't give two fucks, I truly don't care. Like, I really really don't care. It's that they tried to lie is why I am called them out. They were caught with their pants down. I wouldn't be a thorn in their side if they were honest.

[astura]

>we are not a covered entity under HIPAA

So why lie and say you are when directly asked? You could have just replied with this exact post when asked, instead you chose to blatantly lie. Why?

Did you just think nobody would notice and you'd just get away with it?

When people ask "Is customer data protected by HIPAA?" They don't mean "do you choose to follow HIPPA protocols [at the moment] with customer data?," They mean "Is customer data protected by HIPAA?" They want to know what you can legally do with their medical data, no what you currently choose to do with it. But you know that, you are playing stupid and are caught with your pants down.

We all know your competition also isn't a covered entity under HIPPA - so just admit you aren't either, don't be slimy and mealy-mouthed about it.

[dannygrannick]

I’m sorry you feel that we were misleading you - that is not our intention. As I stated in my previous response: we are not a HIPAA covered entity but maintain HIPAA compliant protocols. We plan to include our data protection protocols on our site to make this information available and transparent for visitors and users. I appreciate you bringing this up!

[Cro_on]

Unless the question was answered in the first sentence ('Yes!' being one of the few single word sentences possible in English). In this perspective, the second sentence gives extra information instead of 'intentionally misleading'.

[astura]

Then they need to provide additional information as to why they are considered a "covered entity" under HIPAA, because it is NOT obvious from their website why HIPPA would apply and the answer I was replying to appeared to be very mealy-mouthed based on the information given.

If they have additional information they'd like to share, I'd very much like to hear it.

[david_l_lin]

HIPAA applies to any circumstance around handling PHI. We handle your self-reported survey data, and microbiome data as PHI. We do NOT have to be a "covered entity" to apply HIPAA compliant protocols to our data handling. It's an additional security measure we take in handling your PHI.

[astura]

I'm looking forward to replies from dannygrannick and david_l_lin if they are a "covered entity" under HIPAA, because that was the question asked, and hasn't been answered yet.

[david_l_lin]

We self-impose HIPAA complaint protocols despite not being a covered entity. The answer to the question: "Is customer data protected by HIPAA?" is essentially the same.

1. Any data that can be considered PHI (survey data, medical data, genetic data) is stored under HIPAA complaint guidelines. 2. Yes, we are HIPAA complaint.

[29athrowaway]

And it's likely never going to be answered.

[david_l_lin]

You can find our response above. Thank you for your patience, and for the engaging discussion!