logoalt Hacker News

munk-ayesterday at 9:08 PM1 replyview on HN

Anyone handling PII needs to be trained in HIPAA compliance and authorized in the same manner as the doctor themselves. There is no explicitly separate HIPAA like law though if your handling of the information is limited to a particular subset of the information (e.g. knowing that a patient has an appointment with a renal specialist and knowing their address information but not knowing the topic of the appointment) then there may be a relaxation of the requirements - but patients are also blabby so usually they're treated like anyone else.

When it comes to AI note-taking or other AI services that interact with PII the exact same requirements and data handling standards need to be adhered to as if the tool was an employee with proper certified training (or, in the case of a tool, review and certification) and appropriate contracts and disclosures.

I can't really provide a more specific answer because the topic is so broad and while I'm familiar with the process from one end I am not an expert on the process in general.


Replies

vel0cityyesterday at 10:16 PM

> Anyone handling PII needs to be trained in HIPAA compliance

Anyone working at a covered entity needs HIPAA training. A random secretary working for some other random company unrelated to healthcare and isn't potentially a covered entity doesn't need it.

I originally took your comment as secretaries in general, but re-reading makes it more clear to me you're specifically talking about secretaries in a healthcare setting. In which case yes, they would be bound to the same HIPAA rules I agree.

show 1 reply