I am seconding those who are saying check out HIPAA (the correct spelling). It actually sounds like a good idea from the patient pov, but here are your issues -- it sounds like you will fall under the definition of "medical provider" so yes, the legislation will apply to you. What this means is that you are required to take, I believe the language is "all reasonable precautions" to safeguard the medical data in the database. What that means exactly is the heart of the matter, but yes, a hosted solution might be problematical to say the least....
I looked into this for a site I was associated with at one point. I finally concluded that the law did not apply to us because we were not a medical provider (this might be your finesse if you change your setup a bit) but that we were not providing enough security to medical data anyway. I was overruled on this but I did manage to get them to beef up the privacy policy, which was required for the HON accreditation anyway -- another thing you might want to google; it stands for Health on Net. You might consider requiring a release from anyone who wants to participate, or perhaps simply anonymous usernames, but given the really draconian penalties, it's probably worth the fee to go have a chat with a lawyer... my .02 Dana >I've got an idea for a site and wanted to bounce the idea off some >knowledgeable folk before I pursued it further. > > >The Plan: > >The idea is to have a website for users to track their data regarding a >specific medical condition. This data is of a medical nature therefore >subject to specific laws therefore I want to cover my posterior before I >get myself lynched. > >There would be two types of users, practitioners and regular users. >Practitioners would be trained health specialists who are certified by >an international organization, it's a small group therefore easily >verifiable. Regular users would primarily be people who have taken a >class with one of the practitioners and so there would be a >practitioner-client relationship between users (one-to-many). Access to >the site would be free, there would never be any fees to join as a user. > >The data would be specific statistics tailored towards this specific >medical issue - specific stats corresponding with a timestamp and an >optional note. Users would enter and keep track of their own stats and >be able to chart their progress over time. > >In addition to the basic stats they would be able to submit questions to >the practitioner they attended a class of to seek advice or just >feedback on their progress; questions could have specific datasets >attached for viewing. Another idea would be for the user to flag their >data as openly viewable by their practitioner so the practitioner could >keep track of their progress. These are two sides of the same coin, the >difference is how the data is accessed, on one hand the user submits a >specific set of data (push) whereas on the other hand the practitioner >could see all of a user's data (pull). > >Lastly, one thing I was considering was an optional blog. To be allowed >to have a blog either your practitioner would give you permission to do >so, or you would have to be an active user for a specific period of time >(e.g. 6 months). This would avoid the possible problem of someone >setting up an account to use as a general blog and keep it >topic-specific. With their blog users would be able to attach specific >datasets (boasting rights, "look what I did") but on the whole it would >be to keep a public textual record of their progress. > >In addition to the user-specific information, there would be: > >* a FAQ / knowledge base section of common tips and tricks on how to >deal with the medical condition. This would also be available via a >regular email newsletter. > >* general contact information for all practitioners along with details >for what geographical areas they cover. > >* a store to purchase books, booklets, flip-charts, etc. There would be >no medical devices or drugs available, it would specifically be >informational data. > >The site would be paid for through sales of the media plus donations, >there would be no advertisements of any sort. > > >The Questions: > >The questions I have are: > >* Are the legalities for something like this so strict that its foolish >for Joe Soap (i.e. me) to get involved? > >* Any recommendations on where I should look to find specifics on the US >laws for something like this? > >* Has anyone got suggestions for me based on my ideas above? > >* The site would be US-based, due to how some countries/regions have >gone a little funny regarding data (EU, UK), should I be best to keep it >exclusive to US users only? > >* I'm presuming that if I do go ahead with it that at the very least >I'll need a dedicated server, to remove the possibilities of someone >obtaining the data. Do you think the laws would allow me (presuming I >set up an LLC) to have other sites (e.g. my personal site) on the server >or would it have to be exclusively for that one site? > > >If it would be too legally questionable to do this as a hosted service I >may reduce my plan a bit and do it as a per-user install, but I see a >greater use for this as a hosted, openly accessible service. > >Any feedback would be appreciated. > >-- >Damien McKenna - Web Developer - [EMAIL PROTECTED] >The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 >#include <stdjoke.h> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:5:197106 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
