1

All is in the title.

I have been looking for a while and couldn't get a clear answer: Something like Google itself stating in its documentation that it's HIPAA compliant.

If not. Why? What is exactly not compliant and is there a way to resolve it? For example, by blocking the google cookie beyond the user creation page.

Ghazi
  • 126
  • 6
  • Can you clarify why you think ReCaptcha would need to be HIPAA compliant? It doesn't share any data with Google as far as I know. HIPAA is a legal framework, and if it is a problem for something you're building you should talk to a lawyer. – Nick Hatt May 26 '21 at 14:54
  • We build forms to gather participants PHI. Some of our forms can be accessed by anonymous participants who land on a User Creation page; that's where the ReCaptcha will be present and the participant has to pass it to be able to continue with the form... The concern now is: what if Google continues to track the user beyond the user creation page and gather info about his clicks; some of the participant PHI we think are at risk (or any by-product of the PHI that might allow Google to infer/guess personal health data that should be private) – Ghazi May 27 '21 at 17:02
  • @NickHatt Does a lawyer have the technical background to be able to help with this? Don't think so! How do you know ReCaptcha does not share any info with Google? How does it determine if the user is human with a single click then!? What do you know about ReCaptcha v2 implementation details (I mean for sure, not just speculations)? – Ghazi May 27 '21 at 17:09
  • A lawyer who specializes in HIPAA should have precisely the technical background to answer this question. HIPAA has very little in the way of software requirements. I imagine your lawyer would start by reading the terms of service and privacy policy for the service. – Nick Hatt May 28 '21 at 20:50

0 Answers0