Hacker News new | ask | show | jobs
by SkyPuncher 1196 days ago
HIPAA is a self certification. You can claim compliance simply by following the rules. Therefore, you’re either HIPAA compliant or your not. I have never heard anyone describe it as being HIPAA-eligible.

HITRUST is a third party audit with higher standards than HIPAA. That is not a self-attestation.

I’ve spent a bunch of time in this space. Most of the major players offer HIPAA compliant services and sign BAAs. As of now, I don’t believe OpenAI offers a BAA, so this is dead in the water.
1 comments
manv1 1196 days ago
Well, HIPAA can be self-certified, but that probably won't stand up in court so most organizations will pay a third-party provider to perform the certification for them. That also lets you see the gaps, because HIPAA is big.

Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific:

https://aws.amazon.com/compliance/hipaa-eligible-services-re...

Here's google's:

https://cloud.google.com/security/compliance/hipaa-complianc...

In general it means that the service may not be HIPAA compliant by default, but can be configured to be HIPAA compliant.

HITRUST is something else and it outside the scope of this discussion IMO. Not sure why you brought that up.

link
dragonwriter 1196 days ago
> Well, HIPAA can be self-certified, but that probably won't stand up in court

The is no certification requirement, so there is nothing to ”stand up in court”. Straight from the horse's mouth:

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance.

https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-...

link