Yeah but you can't get that genie back in the bottle. Once these data are made available to private industry it's only a matter of lobbyists chipping away at whatever protections were initially legislated. See Also: your TV, phone, car, fucking doorbell, and fridge are all spying on you.
The HIPPA rules on health data are fairly strict, otherwise your doctor, hospital and so on could already be doing wrong. Personally I have a dumb TV, car, doorbell and fridge so not much spying there. The phone I'm less sure of.
HIPPA rules are easily circumvented unless you as a patient are paying attention: I can't tell you how many forms I've opted out of that wanted to explicitly export my data to third parties and partners that are not HIPPA compliant. And at least for my healthcare providers that use MyCharts, they like to make it part of the echeckin workflow, with no option to refuse. So you're forced to go up to the desk to check in and explicitly reject it each and every time. It's a healthcare dark pattern.
And then there are online providers like better health that don't have the option to opt out at all. So you just have to avoid them entirely.
Wait—this doesn't make any sense. I'm a physician and have a lot of experience dealing with protected health information. Third parties are required to sign a HIPAA BAA and obligated to uphold privacy/security standards equal to that of your physician and hospital. Can you provide some specific examples of the third parties you're talking about?
MyChart itself is a component of Epic (the EMR) and is absolutely HIPAA compliant. Every healthcare institution I've worked with has taken HIPAA and privacy/security regarding patient data extremely seriously. Non-HIPAA compliant vendors are an immediate non-starter and don't even enter discussions when looking at new products.
I'm a retired software developer that's worked in just about every healthcare-adjacent industry segment you can imagine with HIPAA compliance being an evergreen issue. I know how this sausage gets made on the back end and let me tell you regardless of what impression has been made to you about compliance and safeguards the reality behind the scenes is always messy. Hundreds of gigs of unanonymized user data lying around on developer machines, getting tossed out accidentally during equipment rollouts, leaky API implementations, half-assed compliance testing, lack of meaningful continuous oversight, vendor services with varying levels of compliance hot-glued together on the back end, outright theft of data, this list is incomplete. I'd recommend a weapons-grade dose of skepticism over any claims of meaningful data privacy as the last 30 years have consistently and comprehensively shown that anything that gets digitized eventually gets outed if there's a financial motivation to do so.
Yes, I do believe what you're telling me—the state of healthcare tech is definitely leagues behind general consumer tech. However, I do think this is a meaningfully different class of issue when it comes to patients' perceptions and actual harms. Patients are afraid of having their health data used against them. For example, revealing medical conditions to potential employers, revealing health information to friends/family, etc. There's a growing mistrust of healthcare institutions in recent years, and there are unfounded accusations of healthcare institutions selling data for financial gain like social media companies and even the DMV (https://www.caranddriver.com/features/a32035408/dmv-selling-...). This class of nefarious patient data privacy/security negligence effectively doesn't happen. I've treated patients who are illegal US immigrants, I see patients who use and possess illegal drugs while in the hospital, but they're not reported to anyone. They're simply treated and discharged. Unfortunately, a growing number of patients don't believe this is the case, and we see substantial disparities in levels of care provided to these patients who fear healthcare.
I'm not at all dismissing how terrible it is that healthcare tech companies can be lax with patient data. This absolutely needs to be better! But at the same time, this sounds more like incompetence than active malice. Practically speaking, a patient is extremely unlikely to experience actual harm because a developer accidentally took patient data home on a personal laptop. Although, I would love to hear more about what kinds of violations you've seen in your time in health tech? I work with third party vendors from a healthcare institution, and I absolutely want to figure out how to fix this.
With stuff like illegal drugs, so long as records are retained by the hospital, what prevents the feds from coming in later with a warrant to go through them?
HIPAA trumps the warrant. HIPAA is serious when it says patient data can only be shared for treatment, payment, and hospital operations purposes. Law enforcement is not an allowable reason to disclose patient information without their permission.
In the US a mere warrant is not enough to pierce doctor patient privilege, afaik. At least i would hope it would take a subpoena or a court order or something of the ilk.
Now, though, if a third party accidentally leaks your patient info, or lead pipes are involved
I don’t usually comment on these posts, but as a HIPAA compliance practitioner working with covered entities (also business associates) I have to take a contrarian view of HIPAA compliance efforts by providers. HIPAA is mostly a “check the box” type of compliance effort, as opposed to building a “culture of compliance.” Most compliance efforts stop at the technology barrier. For business associates, the compliance dynamic is even worse. While the larger BA’s do generally comply, because their focus is generally on the technology, for midsized and smaller BA’s , in most cases know the CE will take at face value that the BA is compliance. But there is a reason about 30% (by number) of all breached are caused by BA’s
Sure, next time I find one of the forms I'll snag it for you. It was rather eye catching because it explicitly stated "You're allowing us to share data with third parties and service providers that are not HIPPA compliant." How do I get it to you?
I wasn't claiming that MyCharts isn't HIPPA compliant: I was complaining as part of a MyCharts workflow I was presented with a form that wanted me to grant someone the right to send my data to non-compliant organizations, and as I said above explicitly stated so.
My email is in my profile page. And if you have truly found that the institution is sharing protected health information (e.g., even just names and date of birth) with third parties who have not signed BAAs, that is a lawsuit worth tens of millions plus government fines of $50,000 per piece of compromised data per patient. I highly suspect that there's some misunderstanding or miscommunication here.
The annual HIPAA training I was subjected to for nearly a decade on the EMR provider side of things never brought up these scenarios, but the Privacy Rule does have carve-outs that allow PHI to be transmitted to entities that would not be considered Business Associates, if the patient consents.
100% this. I just visited an urgent care center yesterday for some strep tests. I was given an electronic signature pad and told to sign for "consent to care". No documentation was given to me on what I was signing - just that I needed to sign.
I had to ask for a paper copy of the form I was signing, which was handed to me. That document said that "I acknowledge receiving the privacy notice ..." Was that given to me? Of course not. Asking for that - well let's just say I think I was the first person to ever ask for any of this documentation. I'm sure my information has been shared with 30 other entities - for a strep test. It's insane and unenforceable as a patient who just wants to get shit done.
It's mind boggling because I highly doubt it's actually true. I'm not sure where the OP is getting that info. Patients can't waive away HIPAA privacy/security rights.
I think the OP is assuming that when healthcare institutions partner with third parties, those third parties are not required to uphold HIPAA. If that's his/her belief, it's 100% false. Third parties associating with healthcare institutions have to sign business associate agreements (BAAs) that require them to uphold the same standard of privacy/security regarding patient data as the first party healthcare institution. There are severe financial penalties for violating HIPAA, and every healthcare institution I've been a part of takes this extremely seriously.
Before I start, I'm not singling you out- I am happy that you're participating in this discussion and sharing your first hand knowledge.
The thing for me is that if HIPAA truly does provide me privacy of my personal information and health care information, why are all of these privacy and consent forms required?
Whenever I am handed a form that says "privacy policy" my sense is immediately raised - what is it that they're trying to hide from me through mountains of legalese? When I don't receive one (as was the case in my doctors visit) then I am REALLY on edge.
For example, with my health care visit, this thread prompted me to call the listed numbers on the website for the health care provider to discuss their privacy policy. The provider's number dumps you into an IVR that has zero way to reach a human - you must dial an extension, and there is no option for an operator. I ended up calling their headquarters to get a callback from a human.
If there are standard mechanisms and policies in place, then we should be able to understand the rules once and never have to sign another form again, because the rules would be clear, unambiguous, and applicable to every health care interaction. If the rules are clear about not waiving HIPAA privacy/security rights, then why have a privacy policy that's three pages of inscrutable legalese that gives a bunch of weasel room for them to "share" information?
No problem—glad to participate! There's a lot of cynicism that leads to misinformation about how healthcare works, so I'd like to clean that up. Let's attack and fix the broken parts of the system, but we should praise the working parts. I think patient privacy/security is one of the few things the US gets mostly right about healthcare.
Regarding the privacy policies: these are created by the legal department and physicians in the department are told to distribute them and get signatures when necessary in order to do things by the book. However, your rights are inalienable and protected regardless of whether you actually receive the policy and sign the appropriate box. If you don't receive the policy, the healthcare institution is on the hook and could face a fine if reported to the DHHS. Things could absolutely be done more efficiently and clearer for patients, but there's a fear in changing things ("if it ain't (horribly) broke, don't fix it"). Trying to improve how privacy policies are disseminated and patients informed could result in an inadvertent violation of HIPAA that results in large fines. So healthcare institutions are disincentivized from trying to improve things here.
I reviewed the patient privacy policy for a few large institutions in the US, and it all seems to support what I'm saying. For example, here's NYU's policy on business associates: https://nyulangone.org/files/business-associates.pdf
The only ways in which patient data can be shared with others are if (1) they're involved in your treatment (e.g., your doctor at another hospital), (2) payment purposes (e.g., insurance), (3) health care operations (e.g., third party vendor software like EMRs, PACS, etc.) All are required to be HIPAA compliant if they're covered entities (i.e., healthcare institutions) or sign a BAA with a covered entity that essentially puts the same HIPAA requirements on them. A violation again results in massive fines, C-suite level firings, and expensive legal fallout.
I spoke with the compliance manager at the urgent care this afternoon and had a pleasant conversation. I shared my concerns that I was never provided a copy of the paperwork I was expected to sign - and they took that feedback to hopefully improve in the future.
I had one question in case you’re still monitoring this thread. The compliance manager mentioned a “health information exchange” which I opted out of (since it was something I can control). Do you have experience with these? It seems benign from the searches I’ve done since the conversation but I would be curious if you had any insight as a medical professional
> The HIPPA rules on health data are fairly strict
Depends on how you define "strict". They're pretty onerous to comply with, but they don't really provide patients with anywhere near the level of protection that most people think. It's better than nothing, but in reality, your data is being legally shared with an arbitrary number of entities, without your consent, and without any way for you to even know who has access to that data.
If that data is breached in any way, in theory the reports are supposed to trickle up the chain eventually. In practice? If it's more than one or two subcontractors deep, you'll probably never find out (unless the breached data is posted publicly and you stumble upon it that way).
Also, the cap on penalties is shockingly low: $2 million for all violations of a given provision per calendar year. And that's for willful neglect. If the cause of the violation is determined to be lower than willful neglect, the maximum violation is even lower.
For a very large and well-capitalized company, that might as well be a cost of business.
Bingo. As a new ambulance chaser, I was having some real difficulty getting the medical records for a client - no response for weeks and weeks and weeks.
Aha! I thought. HIPAA gives them 30 days(sortof). We'll sue, and surely there's an attorney fee provision in there. Easy money. GOOGLE Wait what? No private cause of action! All I can do is file a complaint with HHS!
That said, depending on your state, you may be able to make some sort of colorable common-law claim.
Seems unlikely since at it's absolute best it's merely synthesizing a mashup of the same information that feeds Google search, and that's assuming it doesn't start seeing shit. Better to go directly to the source so you can at least make an attempt at vetting the credentials/expertise level that went into the information you're viewing instead of guessing how many mommy blogs, spam mills, and reddit comments got sucked into the intake in the process of producing whatever ChatGPT just coughed up.
K so given a situation where no credible information is available on the net a system that synthesizes information taken from the net is going to produce credible information through what mechanism exactly?
> your data is being legally shared with an arbitrary number of entities
And ILLEGALLY shared via non-conformance with federal laws and data breaches.
Just look at the Boeing fiasco and the serious normalization of deviance. You think that doesn't happen when you outsource your entire IT operations offshore to a populace that literally has zero skin in the game.
The HIPPA rules may be strict, but my most frequent breach notification for loss of personal info (averaging once every 2-3 years) is from health insurers and practice companies losing my information.
Working at the edge of cybersecurity and privacy, you've just stepped in it: there is no "Health Insurance Portability and Privacy Act". It's the "Health Insurance Portability and Accountability Act" (HIPAA).
(And I see that noone corrects you below. [edit -- actually a few people do, or the comments are continuing])
Gravity is a fairly strict law too. Maybe you should review what it covers, what it doesn't. The Act greatly expands the "sloshability" of your data, whether the sanctions are appropriate or sufficient to prevent patient harm is debatable.
It's a bit unfair since it's an easy mistake to make but I treat HIPPA as the equivalent of seeing a resume that says someone knows SAP, Bash, JAVA, GIT, Perl. The capitalization is kind of bozo-signaling. HIPPA is bozo-signaling.
I wouldn't expect right capitalization of FedRAMP. But JAVA vs. Java and HIPPA vs HIPAA just seem like you're not truly familiar.
I'm not sure what your comment is: it's a bit unfair; it's easy to make a mistake; it's bozo-signaling; [you] wouldn't expect right [correct?] capitalization; [something other than capitalization] seem[s] like you're not truly familiar.
What's unfair? Are random mistakes unfair (that's a very good philosophical question)? Are we forbidden from learning about other people from their mistakes or from mistakes generally?
The parent says:
> The HIPPA rules on health data are fairly strict
The followons variously say:
> I can't tell you how many forms I've opted out of that wanted to explicitly export my data to third parties and partners that are not HIPPA compliant.
> I wasn't claiming that MyCharts isn't HIPPA compliant
> The HIPPA rules may be strict
I'm more convinced that these people are making claims about the heart of what they presume HIPAA to be than I am about my parent poster's intent. According to part of your comment these people are "not truly familiar", but without that surfeit of "P" all over it we wouldn't know. My comment was based on an actual conversation heard in the field while working with what is potentially HIPAA data.
As for the parent post, the thought in my mind was is it a mistake? is it a troll? is it a mistake and they thought it was funny so they didn't correct it? I'm willing to give them a tip o' th' hat for the inadvertent glimpse into the bland certitude of inaccuracy.
If anyone wants to argue or discuss hypotheticals, how about this:
"Patient X's head was caught in a drop forge, and now they need to get four CAT scans a day."
How does HIPAA apply to this statement, how would you anonymize it, and how effective would those measures be against de-anonymization given the obvious rarity of the situation? Or is something like this simply never to be discussed?
The law is called HIPAA and technology providers sign a BAA(Business Associate Agreement) that states they agree to handle and store your information in compliance with the relevant standards and laws. With tools like OpenAI Whisper and GPT the HIPAA mode means that the tools don't retain any memory of prior interactions. Health tech is built on 3rd party vendors AWS, Google, and Microsoft are huge in the space.
Well, the reality is likely once they get access to the data, are allowed to use it - they will likely be happy to be grandfathered into their accelerated position if legislation passes to create barriers of entry by preventing such mass data gather/access without express permission - to have an advantage on competition; but generally this won't be a winning tactic in the end because trust is the most important factor, even if consumers aren't driven by that yet as their primary driver.
The mere implication that consumers can be driven by privacy concerns flies in the face of 20 years of observed reality so I'm not sure where you're getting the idea that that is credibly possible. Objectively consumers are driven primarily by convenience, with cost coming in a close second.
Have consumers had any really good or inspiring options yet that put privacy first?
Most of the pundits of Bitcoin and similar - an evolution of the finance industrial complex - seem to claim that the reason there isn't wider adoption is that the "first killer app" hasn't been developed yet. I'd argue it's because its adoption is motivated by profit-greed, which requires a wealth transfer from new adopters to the ones passing off hodling the bag.
Many of the core-fundamental values put forward, what many hope Bitcoin et al would solve, are virtuous and attempting-hoping to solve complex problems - but Bitcoin from a holistic systems perspective, where all consequences are integrated, doesn't fit the bill for what will become the next stable evolution of how society functions with technology. I'd argue similarly to privacy concerns, the solutions that Bitcoin hodlers are aiming for - if they care about such things other than profit from buying low-selling high during pumps and dumps - simply haven't had a viable non-hype and non-greed-driven solution made available yet.
This current wave as a result of industrial complexes forming to maximize their ROI at all costs, first-to-market and maximizing profits allows them to dominate - but for how long? Maybe a decade ago now I wrote a blog post on Facebook's governance, pointing out FB's attempt to maximize profit now will certainly increase annual revenues/profits in the short-term - but would you rather have lower profits for 20+ years or higher profits for 5+ years?
Mark not being an idea person, not a creative - where everyone in tech should know his story involving the ConnectU twins who had hired him - and so he wasn't able to navigate to design and evolve a system to fully harness the potential of having what's essentially a free marketing platform for him as the controller - instead mostly depending on network effect defense strategies including buying up feature sets like WhatsApp, Instagram, etc - who gained a critical mass that could begin to become a competitor with FB, so no real innovation.
The VC industrial complex has been a driver in selecting for all of this, and where acquisitions also suck up and eliminate any up and coming competition that gained enough market share and momentum to be a threat; the incumbent dating and food-delivery platforms-apps are the most obvious for this; the captured MSM is another less obvious version of this, where conglomeration from consolidation has put the power of information control in the hands of fewer and fewer people - why big pharma has been so successful suppressing the majority of negative sentiment about them, as one of multiple parties who are toeing the line and attempting to maintain control with what I call the censorship-suppression-narrative control apparatus; Elon buying Twitter-X created a #ZeroIsASpecialNumber problem in terms of no longer being able to as easily put their hand on the scale of free speech - a blow to their authoritarian-totalitarian and industrial complex dreams, that combination forming fascism.
Another example, I think the advertising industrial complex will collapse within the next decade.
Ads are probably tied at first with downvoting mechanisms for how detrimental of an effect they have on society - where I don't have time to dive into detailing reasons for either right now; they are not mimicking natural patterns for how information-attention was distributed prior to digital.
Business is war, and there are $ trillions at stake - and so who knows what all the various parties, millions to billions of people who most likely mostly blindly follow the status quo system because they believe that they will do better off - those who struggled to get where they are in the manufactured rat race, and holding on for dear life due to fear, when in fact tyranny and scarcity mindset is very expensive - and where the universe provides all the abundance we need, and we can all thrive with proper organization.
“Those who love peace must learn to organize as effectively as those who love war.”
— Martin Luther King, Jr.
Thanks for the convo! Please continue if you're motivated or inspired to!
P.S. I had 2 neck surgeries last week, so my pain level is down a lot - and so words are flowing out of me a bit easier, and apparently you inspired me to say far more than I was expecting, so thank you again.
