HIPAA Compliance

Just curious if there are any rumblings out there about HIPAA compliance and using Particle cloud software?

Is it possible to become HIPAA compliant?

Thanks

I doubt it could be compliant. See the requirement:

Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24

Just the fact that it connects to Particle's server and allows for over-the-air programming essentially means Particle has "root" access to the device. Particle is definitely not an authorized person.

There is no reason Particle or any other general purpose computing device couldn't be HIPPA compliant. It is all a matter of software security, and physical security. But I can't see the cloud aspect of Particle's devices meeting HIPPA.

Given that you can seperate your devices from the Particle cloud (running the local cloud) HIPPA compliance should be doable. Otherwise, I’m not sure having Particle as a data carrier is an immediate violation of HIPPA. HIPPA usually deals largely with who would have access and where the data is stored. I’d obviously consult a lawyer but I don’t see the cloud being an issue. Perhaps Particle would have to jump through some regulator hoops.

What are you trying to do @wesner0019?

Im making a device that deals with medications. Right now we are having people sign HIPAA release statements. In the future it would be better to not have to have people do this.

im intrigued. is this for a startup? within hospital use? sorry if im prying, but i always love it when startups built cool stuff…especially when they are particle powered!

3 Likes

@avidan, this is for a startup. We’ve been using particles platform from the beginning! Our next model is using the P1. This device is a Class 1 medical device and are not initially targeting hospitals but its in our plan to do so later on. Right now we 3D printed 23 devices that are ready for testing. Shortly I’ll be making our next models with the P1 hopefully next week!

1 Like

Actually, we generally don’t store PII (Personally Identifiable Information), and I’m working on a system to solve that issue you raised. :slight_smile: So if you’re pushing your data to a database somewhere else, controlling access to that datastore, keeping an access/audit log, and encrypting it at rest (which is a good practice), and only storing what you need, you should be good. :slight_smile:

Thanks,
David

2 Likes