[dannygrannick]

Hi Astura, apologies for the delay. To answer your question: no, we are not a covered entity - but we still maintain HIPAA compliant protocols with your data:

We follow all HIPAA compliant protocols in handling your data. We have additionally taken a number of security precautions beyond HIPAA compliance that mitigate the possibility of a data breach.

I appreciate you bringing this up as it is an important distinction and a good opportunity to clarify. We are not a covered entity under HIPAA as we are not (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider. The laws surrounding HIPAA were enacted before genomics and consumer health became prevalent. This means that most of the companies in our space (23&me, Ancestry, Everlywell, etc.) are also not covered entities but are working with PHI (protected health information).

Covered entities are required to be HIPAA compliant to maintain the integrity of your PHI, and you can read more about those requirements here: https://www.atlantic.net/hipaa-compliant-hosting/hipaa-compl...

While Bristle is not a covered entity, we can be HIPAA compliant by enforcing the same guidelines around your PHI as are used for covered entities. This is an optional, but in our opinion critical and non-negotiable, component of our infrastructure to maintain user privacy.

[29athrowaway]

> While Bristle is not a covered entity, we can be HIPAA compliant by enforcing the same guidelines around your PHI as are used for covered entities.

People respect HIPAA because sanctions for a HIPAA violation are very severe. In your case, if you have a violation, what would happen?

[astura]

Absolutely positively nothing, their so-called "compliance" is strictly voluntary. That's why I'm calling them out on claiming that they are "HIPAA compliant."

If they were upfront I wouldn't give two fucks, I truly don't care. Like, I really really don't care. It's that they tried to lie is why I am called them out. They were caught with their pants down. I wouldn't be a thorn in their side if they were honest.

[29athrowaway]

Did they have a choice to become a HIPAA covered entity and decided not to do it? Or that was never a choice?

The problem here is that the HIPAA legislation is outdated. Another problem is that there's almost no regulation around selling data.

My true question is: what's the business model here?

a) offering this testing service (which to be honest, sounds pretty interesting and useful)

b) selling the data of unsuspecting customers ("the 23andme model")

[astura]

Sure, they could provide medical services and interface with health insurance companies, then they'd be a covered entity under HIPAA. They could employ medical staff to prescribe tests and provide test results to patients, then they'd be a covered entity under HIPAA.

I don't believe HIPAA is outdated, I believe that people just very much misunderstand it. The full title is "Health Insurance Portability and Accountability Act" - it's literally a bill to regulate health insurance companies, it was never meant to be more.

Congress could pass a general medical privacy bill tomorrow, yet they appear to be extremely uninterested in doing so, so they don't.

Their business model is probably just offering this testing service at the moment, but their weasely response when asked if their data was covered by HIPAA makes me think that they are keeping selling data on the back burner as an emergency option.

[astura]

>we are not a covered entity under HIPAA

So why lie and say you are when directly asked? You could have just replied with this exact post when asked, instead you chose to blatantly lie. Why?

Did you just think nobody would notice and you'd just get away with it?

When people ask "Is customer data protected by HIPAA?" They don't mean "do you choose to follow HIPPA protocols [at the moment] with customer data?," They mean "Is customer data protected by HIPAA?" They want to know what you can legally do with their medical data, no what you currently choose to do with it. But you know that, you are playing stupid and are caught with your pants down.

We all know your competition also isn't a covered entity under HIPPA - so just admit you aren't either, don't be slimy and mealy-mouthed about it.

[dannygrannick]

I’m sorry you feel that we were misleading you - that is not our intention. As I stated in my previous response: we are not a HIPAA covered entity but maintain HIPAA compliant protocols. We plan to include our data protection protocols on our site to make this information available and transparent for visitors and users. I appreciate you bringing this up!