healthPiper Privacy Policy
Posted November 24, 2019 We promise that healthPiper will always be welcoming, trustworthy, and straightforward. We guard your health information with the same vigilance as we guard are own. And we put our commitments into legally-binding writing.
Healthcare Insurance Portability and Accountability Act (HIPAA)
​
Healthcare information is protected by the Federal HIPAA Privacy Rule, which emplaced requirements for the protection of healthcare information, and also requires that patients be informed of how their health information may be used, and how it is protected. The HIPAA requirements are in green, and the healthPiper commitments are in purple.
​
HIPAA: Entity must describe how it may use and disclose protected health information about an individual
​
healthPiper: We don’t “use” your protected health information, except to provide you treatment. And we won’t ever “disclose” it, except as part of providing treatment. For example, if we transmit a prescription for you to a pharmacy, we will convey to the pharmacy your name, the drug you are being prescribed, and related information such as if you have any allergies. But we only provide them with the information required to transmit the prescription- nothing more. Of course, if you want us to send your records to someone, like one of your doctors, and you sign a release of information, we are happy to send them.
​
Incidentally, since we are designed to be used without insurance, we don't share even a crumb of information about you with any insurance company. If you don't want insurance companies to know about your treatment, then also don't use insurance to pay for medication at a pharmacy, as the pharmacy will inform the insurance company about the prescription. If you get your prescription delivered through our partner pharmacy, or don't use insurance at any other pharmacy, the pharmacy is not supposed to notify insurance. For most medications we prescribe, we can help you obtain prescriptions, without insurance, for a price that is low enough that usually our clients are quite surprised (and pleased).
​
There are several emergency situations that state laws, for good reason, require that we act. Though each state has its own laws, typically if you are in imminent danger because of overwhelming suicidal impulses, you are a danger to someone else because of homicidal impulses, or you tell us about child or elder abuse, we both are required to act and want to act to save lives and to prevent abuse.
​
It is possible that the courts or the State or Federal government will subpoena some protected health information. We have never had this happen, but if it does, we will use any legal right we have to inform you of the subpoena and ask you if you want us to release the information or to fight it. If you ask us to fight it, we won’t release it unless we are legally compelled to do so.
​
HIPAA: Entity must describe the individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the entity.
​
healthPiper: You have the right to your protected health information, both morally and legally. We will provide it to you whenever you ask. And most of your records you can see directly, at any time, because they are in your instant message thread. If you ever have an issue, just message us in the app, and we will jump on it.
​
HIPAA: Entity must describe its legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
​
healthPiper: We are required by law to maintain the privacy of your protected health information. And even if the law changes, we still will keep protecting it, anyway.
HIPAA: Entity must describe whom individuals can contact for further information about the entity’s privacy policies.
​
healthPiper: Just message us in our app. We provide our full policies right here on our privacy page, and are always happy to answer questions.
​
Some legal details:
The HIPAA privacy law defines “covered entities" as an organization or doctor that provides treatment, and "business associates" as an organization or person that works with covered entities doing an activity that requires that they have access to protected health information. For example, if a doctor's office uses a transcription service to dictate notes, (we don't) the doctor’s office would be a covered entity and the transcription service would be a business associate. Contractually, the business associates have similar obligations to protect health information as the covered entity. HealthPiper is an umbrella term for two separate companies, healthPiper PC, which contracts with the clinicians and is responsible for providing the clinical treatment, and healthPiper LLC, which built and maintains the apps, the website, the cloud software, runs operations and employ the concierges.
​
HealthPIper PC and healthPIper LLC have contractual relationships with each other. Under HIPAA, healthPiper PC is the covered entity, and healthPiper LLC is the business associate. Both of them are bound by this same privacy policy.
​
Internet Technology:
We use Amazon and Microsoft cloud services to store the information we use. Trying to protect the information is always on our mind, and whenever we learn or come up with an additional way to strengthen our security, we do it. We know that much bigger organizations with large security teams, like the National Security Agency and Equifax have been hacked, which makes us redouble our efforts.
​
We use standard methods to make our services run well, like google analytics to see how people move through our sites. Google puts cookies on user’s browsers (ours too!) in this process, and likely puts the data they obtain in their vast pool of information about all of us, individually and collectively. We only get group information from Google about the use of our site- we never see (and don’t want to see) the click history of a specific person. We feel reasonably good about Google’s scruples- we initially advertised on Facebook and Google, and Google required that we get certified with LegitScript as a legitimate healthcare provider. Facebook didn’t require we get certified, which made us doubt Facebook’s standards, and so we stopped running ads on Facebook.
​
“Intelligent” Technology:
Over the past decade, computers programmed to use “machine learning,” have proven that they can discern clinically-important patterns in large datasets (“big data”) of health records that humans cannot otherwise detect. The computers might use the information they glean to make treatment safer and more effective. For example, it might be possible to increase the likelihood that the first drug given to a person with cancer will cure them, or that the first medication given to a person with symptoms of depression will restore their motivation and confidence. The available ways to mine healthcare information has been transformed by machine learning, and as a result the existing legal walls constructed to protect an individual’s health information are obsolete and ineffective. Already, as described in the Wall Street Journal, peoples’ healthcare information has been appropriated by “big data” and huge swarths are being accessed and analyzed by companies including Facebook, Amazon, Apple, and Google.
​
As health information is being analyzed, re-packaged and sold in multiple new ways, it seems inevitable that the public’s health information will become widely accessible to conventional marketers and the malevolent alike, as have their credit scores and web browsing histories. Many companies already treat health information like a commodity. HealthPiper was close to hiring a company to electronically transmit prescriptions from our clinicians to the pharmacy. When the company sent us their standard contract to review, we were amazed to find that they were intending to assert “ownership” over all the prescription information that we transmitted. When we asked them to remove that clause, they responded that they couldn’t because they already had contracts with others that committed them to sell them access to all the prescriptions they transmitted. We dropped them from consideration. But they are not alone- the are only single a node in a widespread practice of buying and selling health data.
​
HealthPiper’s culture and purpose for existence is to treat our clients right. We believe that machine learning holds vast promise for good, and so we use computers to analyze the information from the treatment we provide, in order to discover ways to improve care that may be too complex and unexpected for human intelligence to perceive. But we always do our analysis within our HIPAA walls, so that no protected health information leaves them. And we will never sell any protected health information, to anyone, ever.
​
How the healthPiper collaborative team works:
The healthPiper app (or website) you use connects you to your own private instant message thread with healthPiper. There are several people monitoring the thread on our end. Your first message will be from either the “Maître d” psychiatrist or your concierge, who will welcome you to healthPiper, explain the process, and answer your questions. If healthPiper is a good fit for you, we schedule an appointment with a healthPiper psychiatrist (if it isn’t, because, for example, we don’t yet serve your state, we will always guide you to alternatives). When anyone writes in the thread, either you, or someone at our end, their name is included in their message. In addition to the people at our end actively writing in the message thread, we have one or more monitors who read the thread, but don't typically respond in it, though they might, for example, if the assigned clinician isn't available. The monitors maintain confidentiality of the thread under the same HIPAA and healthPiper guidelines as those that are actively writing in the thread. The monitors make sure that we are responsive and available, and helps us, so we can teach new members of the team the “healthPIper way” of welcoming, consistent, quality treatment. If a monitor does write a message in the thread, their name is always attached to their message.