[j33zusjuice]

HIPAA is a joke in the first place. How to implement HIPAA compliance is entirely up to the company dealing with the data. There are no prescriptive standards to protect your data. Who isn’t HIPAA certified? It has to be the easiest thing to certify for from a technical perspective. Research teams run records through some NLP shit to depersonalize them, but we all already know it’s trivial to reverse engineer that data to its origin.

[zdragnar]

HIPAA is a legal framework to describe lawful disclosure of health information- defining who and when, and what steps must be taken when unauthorized / impermissible disclosure happens.

It is technologically agnostic, because it applies whether your doctor is fully remote and everything uses electronic records, or if the provider is still using pen and paper and carrier pigeons.

For actual security details, there may be some regulations with the change to the mandating of electronic records, but nothing in HIPAA ourself. For that, you want to look for organizations that have a certification like SOC2 or similar.

[baran1]

HIPAA is not a joke, employees can be held personally liable for breeches. At Helix we take HIPAA very seriously

[steelframe]

> HIPAA is not a joke, employees can be held personally liable for breeches

Okay, great. So which employees were held personally liable for these two breeches? I got "The Letter" telling me I was one of the victims for both of them.

https://www.hhs.gov/hipaa/for-professionals/compliance-enfor...

https://en.wikipedia.org/wiki/Anthem_medical_data_breach

[gregw2]

"There are no prescriptive standards to protect your data?"

How about the 18 standards labelled A) through R) in page 97 of: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ad...

I am no expert but HIPPA seems far more prescriptive than say GDPR or PII regulations.

I do agree that self-certification leads to perverse incentives and lowers the bar