Hacker News new | ask | show | jobs
by manv1 1196 days ago
What that really means is:

* they may be HIPAA-compliant (ie: they fulfill the requirements), * they haven't gone through a HIPAA-certification (no third-party cert), * they aren't using services that aren't HIPAA-certifiable

The latter point is important, because there are some services (ie: firebase) that apparently won't be HIPAA compliant. Some services are HIPAA-compliant if configured correctly. AWS has a list. I believe google does too.

There are a bunch of HIPAA guides out there.

So as a demo, it's not a big deal. But if they start selling this they need at least to be HIPAA-compliant with certification on the roadmap.
1 comments
SkyPuncher 1196 days ago
HIPAA is a self certification. You can claim compliance simply by following the rules. Therefore, you’re either HIPAA compliant or your not. I have never heard anyone describe it as being HIPAA-eligible.

HITRUST is a third party audit with higher standards than HIPAA. That is not a self-attestation.

I’ve spent a bunch of time in this space. Most of the major players offer HIPAA compliant services and sign BAAs. As of now, I don’t believe OpenAI offers a BAA, so this is dead in the water.

link
manv1 1196 days ago
Well, HIPAA can be self-certified, but that probably won't stand up in court so most organizations will pay a third-party provider to perform the certification for them. That also lets you see the gaps, because HIPAA is big.

Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific:

https://aws.amazon.com/compliance/hipaa-eligible-services-re...

Here's google's:

https://cloud.google.com/security/compliance/hipaa-complianc...

In general it means that the service may not be HIPAA compliant by default, but can be configured to be HIPAA compliant.

HITRUST is something else and it outside the scope of this discussion IMO. Not sure why you brought that up.

link
dragonwriter 1196 days ago
> Well, HIPAA can be self-certified, but that probably won't stand up in court

The is no certification requirement, so there is nothing to ”stand up in court”. Straight from the horse's mouth:

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance.

https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-...

link