This data processing is done on Nabla's servers, which are powered by the HIPAA and GDPR compliant Google Cloud Platform (GCP), and on HIPAA-eligible LLM servers.
I was very curious about this and did a bit of research. The answer to it is squishy. It seems to be mostly a marketing term. The best definition I found was this:
"A service that is HIPAA eligible is one that is capable of being configured in a way that could meet HIPAA compliance requirements, but you have to know how to do it, it doesn’t happen ‘out of the box.’"
* they may be HIPAA-compliant (ie: they fulfill the requirements),
* they haven't gone through a HIPAA-certification (no third-party cert),
* they aren't using services that aren't HIPAA-certifiable
The latter point is important, because there are some services (ie: firebase) that apparently won't be HIPAA compliant. Some services are HIPAA-compliant if configured correctly. AWS has a list. I believe google does too.
There are a bunch of HIPAA guides out there.
So as a demo, it's not a big deal. But if they start selling this they need at least to be HIPAA-compliant with certification on the roadmap.
HIPAA is a self certification. You can claim compliance simply by following the rules. Therefore, you’re either HIPAA compliant or your not. I have never heard anyone describe it as being HIPAA-eligible.
HITRUST is a third party audit with higher standards than HIPAA. That is not a self-attestation.
I’ve spent a bunch of time in this space. Most of the major players offer HIPAA compliant services and sign BAAs. As of now, I don’t believe OpenAI offers a BAA, so this is dead in the water.
Hi everyone! We’re of course well aware of the importance of HIPAA for all organizations operating in the US. To clear up any confusion: HIPAA-eligible means in our case that we’re ready to sign BAAs.
Either they are offering to sign a HIPAA BAA or they aren’t. If they aren’t, its HIPAA-radioactive. HIPAA-eligible for this kind of service is meaningless; when you have PHI going through a third party system, its BAA or GTFO.
Their website seems to suggest it is a French company with a US office. The issues around HIPAA would not be there and instead replaced by GDPR.
The blog posts also mention French trained ML.
> Cedille is a new open source French language model created by Coteries. It is trained to understand and write French and is also the largest model of its kind for French. Cedille is trained using large databases of publicly available content on the internet filtered for toxic content.
Expanding into the US, yes - they would need to deal with HIPAA, but until they do they likely don't need to.
> A Medical Scribe is a revolutionary concept in modern medicine. Traditionally, a physician's job has been focusing solely on direct patient contact and care. However, the advent of the Electronic Health Record (EHR) created an overload of documentation and clerical responsibilities that slows physicians down and pulls them away from actual patient care. To relieve the documentation overload, physicians across the country are turning to Medical Scribe services.
> A Medical Scribe is essentially a personal assistant to the physician; performing documentation in the EHR, gathering information for the patient's visit, and partnering with the physician to deliver the pinnacle of efficient patient care.
HIPAA only applies to healthcare providers I think. Private companies like the extension maker can do whatever they want. At least that’s what someone on the internet told me and maybe it’s wrong.
If the provider wants to use the extension for patient care, the extension maker must be prepared to enter into an agreement to comply with the HIPAA rules.
> If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.
Business associate only comes into play when you're working with a covered entity. And, covered entities are far less inclusive than most people think.
----
The posted software is absolutely free to be non-HIPAA compliant. They're not a covered entity and without a relationship with a covered entity, they're not a business associate. However, without a relationship with a covered entity, they're also unlikely to generate any meaningful revenue.
This is not so clear-cut, though. There is a lot of gray area and doubt about this. HIPAA is not as complete protection as people think, and there are many situations where you'd think HIPAA would obviously apply, but it doesn't.
When a covered entity (a HIPAA-required provider) does business with a private non-covered entity _and_ that transaction involves HIPAA controlled information, they must enter into a Business Associate Agreement (BAA). This effectively forces the private entity to maintain the same HIPAA standard as the provider.
A private company is absolutely free to build non-HIPAA compliant software, but they completely unlikely to get any healthcare providers to actually use it.