| Hey I don't work at Picnic but I do work at Prime. Picnic and Prime do similar things. I've met the Picnic team. They're great, and so is Picnic. They understand HIPAA. I'll let @nogaleviner speak to the specifics of their HIPAA considerations but I do want to clear up some general things up about HIPAA since we've (as has Picnic) been working on this for a year or two now. 1. It's HIPAA, not HIPPA.
2. The "P" in HIPAA stands for Portability (h/t @katgleason). The salient parts of HIPAA for this conversation are:
a. HIPAA makes what Picnic does possible. The overall point of HIPAA is to open up data, to let patients say to their doctor "I want my medical record" and require doctors to fulfill that request. The September 2013 update to HIPAA even said that if a patient asks for their records electronically, their doctor has to provide them electronically. Without HIPAA, Picnic probably wouldn't exist.
b. HIPAA does stipulate two Rules: the Security Rule and the Privacy Rule. In a nutshell, these rules don't prescribe specific implementations but do require general considerations. The high-level overview is: data has to be encrypted in transit and at rest, all data access has to be logged (for auditing), and employees have to be HIPAA-trained. Generally speaking if you build something that meets a decently high level of conventional web security standards, you could probably meet the technical requirements for HIPAA. Now this is important: while b) is true, this actually only applies to entities who are required to be HIPAA-compliant, i.e., medical care providers. Technically Picnic isn't a care provider and therefore does not need to be HIPAA-compliant. That doesn't mean Picnic doesn't take security and privacy very seriously. And I can tell you they do: their site is SSL-enabled and they know what they're doing. Again, just speaking to the HIPAA points here, not the business considerations. Hope that helps clear some things up. |
even if they only are going to function as what's referred to in HIPAA as the "Business Associate" standard, if you really dig into it they'll essentially need the same level(s) of control as a straight-up HIPAA compliant business would. that is if they want to be in a defensible position when they get breached...
additionally, the reason that I mentioned ISO 27001, is that it's not just HIPAA, it's also all of the other controls both internal and external you must have in place. if your assertion is that they have sec dialed because their site is SSL enabled, well, that's frankly a little scary and somewhat naive.