this post was submitted on 21 Sep 2024

126 points (90.4% liked)

Today I Learned

17721 readers

452 users here now

What did you learn today? Share it with us!

We learn something new every day. This is a community dedicated to informing each other and helping to spread knowledge.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must begin with TIL. Linking to a source of info is optional, but highly recommended as it helps to spark discussion.

** Posts must be about an actual fact that you have learned, but it doesn't matter if you learned it today. See Rule 6 for all exceptions.**

Rule 2- Your post subject cannot be illegal or NSFW material.

Your post subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding non-TIL posts.

Provided it is about the community itself, you may post non-TIL posts using the [META] tag on your post title.

Rule 7- You can't harass or disturb other members.

If you vocally harass or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.

Partnered Communities

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

founded 1 year ago

MODERATORS

[email protected]

126

TIL - HIPAA doesn't protect data from being shared between organizations without consent (www.youtube.com)

submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

16 comments fedilink hide all child comments

It obviously protects against sharing data with e.g. your employer, but if a health provider chooses to make your data shareable, there are 2.2M authorized entities that can potentially access the data (identifiable health data).

Excerpt of the video description: Most people think that HIPAA means that their medical records are kept private. But what if I told you that HIPAA doesn’t protect your privacy at all?

This is our first video in a series about medical privacy, specifically looking at legislation that stripped individuals of the right to consent to medical data sharing.

We focus on what HIPAA actually is, how it came to allow our data to be shared without us even knowing, how we’ve been tricked into thinking we have privacy, and steps we can take to reclaim control of our medical data.

00:00 The State of Medical Privacy is a Mess 02:29 What is HIPAA 07:39 How Your Data is Shared 12:10 The Illusion of Privacy 14:48 What Can We Do 22:16 We Deserve Medical Privacy

We deserve privacy in our medical system. Our health information is sensitive, and we should be allowed to protect it. Even while we fight for better medical privacy, please always prioritize your health.

Special Thanks to: Twila Brase, Rob Frommer, and Keith Smith for chatting to us!

List of doctors who have opted out of the surveillance system: https://jointhewedge.com/

Twila's website: https://www.cchfreedom.org/patient-toolbox/

Do you want to fight the system and lead a suit against medical data collection? Contact the Institute for Justice: https://ij.org/

Keith Smith's Surgery Center: https://surgerycenterok.com/

Brought to you by NBTV team members: Lee Rennie, Cube Boy, Sam Ettaro, Will Sandoval and Naomi Brockwell

Edit: changed the title to something that isn't misleading

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 56 points 1 month ago* (last edited 1 month ago) (2 children)

Having permission to access to the HIPAA-protected dataset is only the first hurdle. You also need a medically valid or claim processing reason to look at individual patient records within that dataset. People have gotten into trouble by not respecting this. Doctors and other providers are not going to just poke around in the data for fun. Too little to gain for too much risk.

HIPAA is far from perfect, but it does do a decent job of protecting data at rest and in transit. If a bad actor like a hacker manages to get a copy of it, the sensitive stuff will be encrypted.

We handle HIPAA data at my job, and we all take it very seriously. There's annual training required, and a reporting process for violations. Nobody is looking at anything unless they really need to.

Large corporate health insurance providers are another problem. They of course do have access to it, and I am sure they abuse the privilege for data mining and scheming on claims denial strategies and so on. But that's a political and enforcement issue not an issue with HIPAA itself. They are violating HIPAA and getting away with it because they are a powerful lobby.

[–] [email protected] 11 points 1 month ago (1 children)

If a bad actor like a hacker manages to get a copy of it, the sensitive stuff will be encrypted.

You know doctors offices are still one of the main users of facsimile transmission, right?

[–] [email protected] 18 points 1 month ago (1 children)

Actually I do know that. Pharmacies, too. You do know they are not FAXing giant datasets with millions of patients in them, right?

[–] [email protected] 2 points 1 month ago (1 children)

I'm not disagreeing with you, but the fax loophole does need to be closed.

[–] [email protected] 2 points 1 month ago (1 children)

You're right to point out the problem. Using a rhetorical tone was a bit sarcastic / condescending, so I mirrored it.

I think it's a question of perspective. Your doctor faxing something to a pharmacy or specialist is archaic at this point, and I agree it's not great. If they are using FOIP and not POTS, one would hope it's encrypted with TLS or something (if it's not, it's possibly a HIPAA violation if there's PHI in the FAX). But the blast radius is pretty small.

I suppose if a hacker compromised a hospital system's FOIP they could harvest a lot of medical records that way. But at that point, they are already in and they'd likely be more interested in fatter & juicier targets on the network. Bigger datasets with less effort (versus pulling from a trickle of FAXes going in and out).

Bottom line: yes, FAX is dumb, and it's a problem but it's very small compared to other things.

[–] [email protected] 2 points 1 month ago

Point of fact, I'm not bobs_monkey, the originator of the rhetorical tone. Fax in healthcare continues to survive well past its prime because there is an inherent loophole: analog data transfer is functionally unsuited to encryption. This allows fax to be operated at a "best effort" level of security. There are handling protocols that are meant to keep traditional fax transmissions as private as possible, but these are layer 8 processes with limited enforceability. Beyond that, traditional fax represents a pathway around requirements on encryption while still meeting HIPAA compliance standards.

FOIP is an improvement, but it still allows for interoperability with a traditional fax machine connected to a POTS line in some GP's office that they're unwilling to part with. That means the FOIP user can only be confident of the transmission being secure on their side. I can't speak to the overall adaptation of FOIP in hospital systems, but I do know that there are non-isolated instances of hospitals still relying on traditional fax as opposed to adopting a cloud-fax solution. Hell, there are still major hospitals using SL-100s as their primary phone switches.

I don't even want to get into codec mismatches, because that falls out of scope when it comes to a privacy discussion.

Long story short, achieving HIPAA compliance is a low bar with regards to fax, and if that were to change I believe we'd see fax disappear (finally!) shortly thereafter.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (1 children)

From what I understand from the video and the regulation definition under Health Care Operations there are many ways for the provider to share the data without consent (page 2: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/sharingfortpo.pdf).

“Health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include: < Conducting quality assessment and improvement activities, population- based activities relating to improving health or reducing health care costs, and case management and care coordination; < Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities; < Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims; < Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

Is that the first hurdle you were mentioning? I'm just trying to understand where is the restriction of the second hurdle if in 164.506 it says an entity can use the data:

"Use or disclose protected health information for its own treatment, payment, and health care operations activities"

Trying to understand the distinction add have another TIL moment, not aeguing against the comment

[–] [email protected] 2 points 1 month ago (1 children)

I mean to a degree this makes sense. It might very much be medically required to share such data.

How to, for example, prosecute a doctor for quackery if you cannot get access to the cases they worked on? So for oversight, someone overseeing it needs to be able to know drtaiks about the cases, too.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago) (1 children)

Hypothetically, they can ask for consent from patients, with some form that allows investigative agencies to access contact information of patients for such cases. I think there are other options other than sending it without consent and even the knowledge of the patients.

[–] [email protected] 2 points 1 month ago

I guess personally I'd even be fine with not being asked, though now that you mention it, I'd like to at least know.

But then again, to some extend that's how it works here. My insurance knows about everything, but I need to allow doctors to access or modify my file, and then only portions of it. Like my general doctor can do a lot of stuff, but obviously my dentist can only do dental and radiology stuff.