This is a great idea, but the "non-commercial" clause of the Creative Commons license makes the documents pretty useless as the only real use would be in a commercial context.
Mark from Catalyze. We picked non-commercial as the CC license type simply so that people wouldn't modify and then resell the documentation itself. From my understanding, the license allows users to use our docs for your company policies, but you can not resell the content itself. That would be against the spirit of what we are trying to accomplish with releasing the documentation. If you think that the license is prohibiting this, let me know. We want to make sure that we strike a happy medium of usage/keeping the policies "free".
EDIT: Yeah, it seems like there are some far reaching not-understood legal implications of the "NC" license. Ok, we're going to re-commit and re-issue these with the BY-SA. Should be up in a few minutes.
I too would love to be able to use the verbiage as a base for my extremely small (me) company that does deal with some PHI. I have no desire to sell your documents but in reading through the license it does appear that I can't use it. Any chance that you could re-license it so that I/we can use it within a commercial (small!?) venture?? :-) Please? I am happy to attribute or not attribute Catalyze. Either way, thanks for releasing these.
Oh, wow, you guys are awesome. Thank you so much for doing this. About a year ago I went through websites to try and figure out what all this HIPPAA means for my website but it is very confusing. It is great to have a template to at least start with. Thank you!!!
From the CC license: "NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation."
I'm definitely not a lawyer and would like to hear from one interpreting the license for this use case, but it sounds like that could be interpreted to mean not okay to use for a business if it generated a commercial advantage, like HIPAA compliance.
Clarification from your lawyer (published on your site) would be good if you aren't okay switching to a more permissive license.
Suggestion: name them "FREE HIPAA DOCS AVAILABLE AT [URL]" and use a license requiring attribution, should make them hard to resell?
Said it before, say it again, thank you Mark. I wonder what our industry would look like if we spent less time reinventing the wheel all day long and more time working on the problems we love.
Presumably, while one couldn't simply adopt this document verbatim, it could be used as an educational source when drafting your own original HIPAA compliance policies.
http://hipaacow.org/ is another good resource for anyone in this field. In the top nav select Resources, Documents and then the subgroup you want information for. Right now the site has Privacy & Security, EDI and Risk Toolkit.
Disclaimer: I am involved with HIPAA-COW on the Security, Risk and soon the Technical Security working groups; we release a lot of information to help people.
If I'm allowed to override with a tangent:
What's the best place to start reading on HIPAA for non Americans? We're starting up a healthcare services co (applied YC this batch!!) where we might potentially have to be covered under HIPAA. But there's also a possibility depending on how we structure our operations that we can possible avoid it altogether.
I can dive deep into the actual regulations later if we know we have to comply. Right now I need to kinda figure out the lay of the land. Where other services like Aptible or Catalyze fit in the ecosystem.
Like {X} is the problem, {Y} is the regulation set and {Z} is the way to comply/resolve it.
HIPAA is a very large, encompassing bill that provides numerous protections for patients. In particular, it provides the necessary legal requirements preventing healthcare providers from disclosing personally identifiable information - typically, things like SSN, name + date of birth, name + zipcode, etc. Anything that could possibly be used by someone to identify who the patient is should not be discloses. HIPAA also lists some technology requirements, but if memory serves me correctly, it only goes so far as to say "industry-standard practices". There's also numerous parts of HIPAA that pertain to billing and insurance, but I don't do billing so I can't speak too much on those.
Well yes I can go read the act but at this early stage don't have that much time to spend on legalese without first understanding the contours. I'm looking for simpler explanations, case studies, blogposts of individuals/ or companies; some of which your rest of the comment provides. So thanks for that.
Would you mind sharing your email (mine is in my profile) in case I wanna bounce off a few Qns? I promise to keep it short. TIA.
I found this book helpful: The HIPAA Roadmap for Business Associates ( http://www.amazon.com/gp/product/1484067010/ref=oh_aui_searc... ). It goes through some of the basics of HIPAA, what kinds of policies you need to have and why, and includes some example policy templates similar to the ones being graciously provided in this article.
Thanks for this. We have a company under us that deals with HIPAA, and we've been struggling to come up with policies (or even where to begin) as the medical field is nowhere near our main focus.
