[astura]

You didn't answer the question asked, you answered a different question.

The question that was asked was if the customer data you collect is "protected by HIPAA," not if you choose to be "HIPAA compliment."

In other words - does the law (HIPAA) require you to handle customer data a certain way? Are you a "covered entity" under HIPAA?

I don't know much about your business, but I'm going to presume you are NOT a covered entry and HIPAA does NOT apply. I'm going to presume that because HIPAA is not a generic medical privacy law (even though people think it is), it applies to only "covered entities," which are - "Health Care Providers[1]", "Health Plans", and "Health Care Clearinghouses." You don't appear to be any of those, nobody claims to be providing any medical services, and you even provide a disclaimer that you are not providing medical services. - aka "just for funsies."

A useful rule of thumb is the "I" in HIPAA stands for insurance - if insurance is NOT involved HIPAA probably doesn't apply.

So I think your statement "Yes, we are 100% HIPAA compliment" was intentionally misleading.

[1] but only if they transmit information electronically in connection with a transaction for which HHS has adopted a standard

[dannygrannick]

Hi Astura, apologies for the delay. To answer your question: no, we are not a covered entity - but we still maintain HIPAA compliant protocols with your data:

We follow all HIPAA compliant protocols in handling your data. We have additionally taken a number of security precautions beyond HIPAA compliance that mitigate the possibility of a data breach.

I appreciate you bringing this up as it is an important distinction and a good opportunity to clarify. We are not a covered entity under HIPAA as we are not (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider. The laws surrounding HIPAA were enacted before genomics and consumer health became prevalent. This means that most of the companies in our space (23&me, Ancestry, Everlywell, etc.) are also not covered entities but are working with PHI (protected health information).

Covered entities are required to be HIPAA compliant to maintain the integrity of your PHI, and you can read more about those requirements here: https://www.atlantic.net/hipaa-compliant-hosting/hipaa-compl...

While Bristle is not a covered entity, we can be HIPAA compliant by enforcing the same guidelines around your PHI as are used for covered entities. This is an optional, but in our opinion critical and non-negotiable, component of our infrastructure to maintain user privacy.

[29athrowaway]

> While Bristle is not a covered entity, we can be HIPAA compliant by enforcing the same guidelines around your PHI as are used for covered entities.

People respect HIPAA because sanctions for a HIPAA violation are very severe. In your case, if you have a violation, what would happen?

[astura]

Absolutely positively nothing, their so-called "compliance" is strictly voluntary. That's why I'm calling them out on claiming that they are "HIPAA compliant."

If they were upfront I wouldn't give two fucks, I truly don't care. Like, I really really don't care. It's that they tried to lie is why I am called them out. They were caught with their pants down. I wouldn't be a thorn in their side if they were honest.

[29athrowaway]

Did they have a choice to become a HIPAA covered entity and decided not to do it? Or that was never a choice?

The problem here is that the HIPAA legislation is outdated. Another problem is that there's almost no regulation around selling data.

My true question is: what's the business model here?

a) offering this testing service (which to be honest, sounds pretty interesting and useful)

b) selling the data of unsuspecting customers ("the 23andme model")

[astura]

Sure, they could provide medical services and interface with health insurance companies, then they'd be a covered entity under HIPAA. They could employ medical staff to prescribe tests and provide test results to patients, then they'd be a covered entity under HIPAA.

I don't believe HIPAA is outdated, I believe that people just very much misunderstand it. The full title is "Health Insurance Portability and Accountability Act" - it's literally a bill to regulate health insurance companies, it was never meant to be more.

Congress could pass a general medical privacy bill tomorrow, yet they appear to be extremely uninterested in doing so, so they don't.

Their business model is probably just offering this testing service at the moment, but their weasely response when asked if their data was covered by HIPAA makes me think that they are keeping selling data on the back burner as an emergency option.

[astura]

>we are not a covered entity under HIPAA

So why lie and say you are when directly asked? You could have just replied with this exact post when asked, instead you chose to blatantly lie. Why?

Did you just think nobody would notice and you'd just get away with it?

When people ask "Is customer data protected by HIPAA?" They don't mean "do you choose to follow HIPPA protocols [at the moment] with customer data?," They mean "Is customer data protected by HIPAA?" They want to know what you can legally do with their medical data, no what you currently choose to do with it. But you know that, you are playing stupid and are caught with your pants down.

We all know your competition also isn't a covered entity under HIPPA - so just admit you aren't either, don't be slimy and mealy-mouthed about it.

[dannygrannick]

I’m sorry you feel that we were misleading you - that is not our intention. As I stated in my previous response: we are not a HIPAA covered entity but maintain HIPAA compliant protocols. We plan to include our data protection protocols on our site to make this information available and transparent for visitors and users. I appreciate you bringing this up!

[Cro_on]

Unless the question was answered in the first sentence ('Yes!' being one of the few single word sentences possible in English). In this perspective, the second sentence gives extra information instead of 'intentionally misleading'.

[astura]

Then they need to provide additional information as to why they are considered a "covered entity" under HIPAA, because it is NOT obvious from their website why HIPPA would apply and the answer I was replying to appeared to be very mealy-mouthed based on the information given.

If they have additional information they'd like to share, I'd very much like to hear it.

[david_l_lin]

HIPAA applies to any circumstance around handling PHI. We handle your self-reported survey data, and microbiome data as PHI. We do NOT have to be a "covered entity" to apply HIPAA compliant protocols to our data handling. It's an additional security measure we take in handling your PHI.

[astura]

>HIPAA applies to any circumstance around handling PHI.

HIPAA does not apply at all as you are not a covered entity under HIPAA, stop lying.

>We do NOT have to be a "covered entity" to apply HIPAA compliant protocols to our data handling

Yeah, but that's just your current choice. You (more or less) claimed you were obligated to abide by HIPAA, but that's a lie, you are not.

I know you though nobody would call you out on this, but I am, because I understand the law. Please be upfront when asked, and stop lying.

[astura]

I'm looking forward to replies from dannygrannick and david_l_lin if they are a "covered entity" under HIPAA, because that was the question asked, and hasn't been answered yet.

[david_l_lin]

We self-impose HIPAA complaint protocols despite not being a covered entity. The answer to the question: "Is customer data protected by HIPAA?" is essentially the same.

1. Any data that can be considered PHI (survey data, medical data, genetic data) is stored under HIPAA complaint guidelines. 2. Yes, we are HIPAA complaint.

[29athrowaway]

And it's likely never going to be answered.

[david_l_lin]

You can find our response above. Thank you for your patience, and for the engaging discussion!