72 comments

[ 0.26 ms ] story [ 80.8 ms ] thread
First step: figure out if you are a covered entity or a business associate, or neither. If not, the law doesn't apply to you. However, you may still want to follow its guidelines.

it's an onerous law and many people now cite it when they don't want to provide information, even if the law doesn't apply to them.

This unfortunately seems to also be the case with GDPR in Europe. People use it as a scary sounding excuse for various nonsense, even when it clearly doesn’t apply. I recently heard a university claim that GDPR prevented them from recording lectures amongst other things. I’ve also heard numerous individuals complain that GDPR prevented them from doing one thing or another, when GDPR doesn’t apply to things individuals do in most cases. Well-publicised laws generally get this treatment, where people invoke their name as some sort of magic incantation to justify their action (or more often inaction), and know little to nothing about the law itself.
I'd be curious why University recordings weren't subject to GDPR myself. Consent could be had and managed but I could see this as enough trouble to just not do recordings as a result, especially since it can be withdrawn later.
I don't know anything about GDPR, but I guess at most it will protect students. If they only record professors while giving lectures, that can't be illegal, can it? And I'm sure the professor cannot withdraw consent for sharing the video anymore than an actor can withdraw consent from appearing in a film he had played in 10 years ago.
Not GDPR, but school regulations and other privacy regulations may prevent such recording by students.
At least pre-Covid, I presume that the general contract for professors does not include an agreement to be recorded, their job duties include giving lectures to students but not (without specific amendments) preparing recordings for public distribution. IMHO it might be the case that if a particular professor really wants to, they can refuse to be recorded (or refuse to allow arbitrary redistribution of the record beyond the students to which the lecture was given) without any legal ability for the university to push them to agree to that - while in this site most of GDPR discussion refers to its application for websites, in reality most of GDPR enforcement has been in the non-web world and especially for the employer-employee relations, including things like surveillance cameras in workspaces and the validity of nonnegotiated clauses in employment contracts regarding employee privacy rights; so the employer pushing a contract change "agree to be recorded or stop working for us" might not be legal. The specific details matter, of course.

Some examples of actual GDPR enforcement cases for mishandling of employee information:

https://www.complianceweek.com/regulatory-enforcement/german... - general video surveillance of employees;

https://www.infosecurity-magazine.com/news/hm-fined-352m-for... - one of the biggest GDPR fines, for tracking various (IMHO clearly unreasonable) private data of employees;

https://dataprivacymanager.net/725000e-gdpr-fine-by-dutch-dp... - collecting employee fingerprints in an inappropriate manner.

https://inplp.com/latest-news/article/EUR-150000-gdpr-fine-i... - employer asserting that a "consent" form that they forced all employees to sign counts as actual consent.

I'm not saying that this necessarily prevents recording of lectures, but it also doesn't seem to be the case that you can "just do it" without properly accessing the legal aspect.

They are subject to the GDPR in so far as they might record students, who might then need to give consent, which could then be withdrawn. In so far as the lecturers are concerned, the lawful basis is likely not to be consent, but rather a contractual obligation, where different rules apply. If for instance, paid actors in films could arbitrarily exercise their right to be forgotten, that would not be a tenable situation.

The solution is clearly to not record students in any identifiable way, but there’s no need to avoid recording the lecture altogether. In fact, if the student were not identifiable, I expect it would be perfectly legitimate to record them without any explicit consent.

Disclaimer: I am not a lawyer, this isn’t legal advice

> First step: figure out if you are a covered entity or a business associate, or neither. If not, the law doesn't apply to you.

If you are a "covered entity" try and work out if you can stop being one. If you can avoid collecting HIPAA relevant data and still make your business model work, that's likely to be a significantly easier path to take than ensuring ongoing compliance. (Same as PCI compliance - outsource all that brain damage to Stripe or Square or whoever, and be able to look a judge in the eye and say "We never even see credit card data.")

Wise words. Information should be treated as toxic effluvia and HIPAA compliance (as well as GDPR and related laws) should be considered as superfund cleanup procedures. They are expensive, complex, and fraught with legal risk.

Don't collect information, don't store it, unless absolutely necessary and you can't find an expert certified third party to handle it for you.

We had a PCI QSA who argued that pages that linked out to payment processors were in full scope for PCI, because if compromised, they could be changed to point to a compromised payment entry site. Which logically means that pages which point to those pages are also in scope, all the way up the stack and suddenly everything is in full PCI scope.

Absolutely use a PSP to minimize your wasted effort on compliance activities, but also choose a sane QSA.

Note this is explicitly covered in the PCI self-assessment questionnaire levels. SAQ A-EP is specifically for websites where you own the website, but link out to something like Stripe for the payment processing. Here's a good overview I found googling for "SAQ A-EP vs SAQ A":

https://epayments-support.ingenico.com/en/direct/faq/compari...

It's been over a decade now, but I seem to recall the debate was not about "what needs to happen if this page is a payment page?" but rather was around "what makes a page in-scope for that requirement to apply?" and the QSA initially held/expressed an entirely illogical position on the matter.
That’s what I call the “divide by zero quality system”. If you don’t ship, then there’s no risk of leaking customer data. Likewise, if you just assume that every screen in your app is in-scope for PCI, then the consultant has a very easy job.
Query — if one makes an excel macro that consolidates PHI into a chart, that is then copy and pasted into a medical note, and no PHI is transmitted by the macro, but can instead be saved as a Marco-enabled xlsx file and emailed to another location... does that make one an CE/BA or not?
IANAL

It’s actually way simpler than a lot of people here are making it out to be.

If you are storing OR transmitting PHI you are required to be HIPAA compliant. That’s it.

> It’s actually way simpler than a lot of people here are making it out to be.

> If you are storing OR transmitting PHI you are required to be HIPAA compliant. That’s it.

IANAL

I don't think that's accurate or correct. I think that is how all parties should behave, but that is not what the law mandates.

Covered Entities are the only original entities that are required to be HIPAA compliant. That's a relatively specific definition.

Here's a source to the NIH which supports my position: https://privacyruleandresearch.nih.gov/pr_06.asp#:~:text=Cov....

> The Privacy Rule applies only to covered entities. Many organizations that use, collect, access, and disclose individually identifiable health information will not be covered entities, and thus, will not have to comply with the Privacy Rule.

> Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards

So if you are not a Health Plan, a Health Care Clearinghouse, or a Health Care Provider; and you have not entered into a formal contractual relationship (known as a BAA) with one of those three entities then you are not subject to HIPAA.

If you are not a Covered Entity, you can ask for people to submit their PHI to you in plain-text. If they do, you could store it in plain-text. Again, I want to be really clear: *you should not do this*, but it would be legal to do so.

I think if you are storing or transmitting PHI you should be required to be HIPAA compliant, but it's just not correct to say it is categorically so.

I think we agree, we just define PHI differently.

> “ Many organizations that use, collect, access, and disclose individually identifiable health information will not be covered entities”

They don’t use PHI here for a reason.

When an individual, not a provider or insurance company, submits a health record to you, it’s not technically considered PHI.

Therefore, I believe my statement still stands.

That seems like a terrible definition to me.

At the least it's very misleading to say the only thing that matters is PHI, with a hidden footnote saying that PHI means "records that HIPAA cares about, gotten in a way that HIPAA cares about".

Even if that's the definition in the law, call it "HIPAA PHI" or something, since it seems to me that it's definitely not supposed to be a general-purpose definition of PHI.

PHI means protected health information. Protected means protected by HIPAA. By definition, there is no PHI not protected by HIPAA. HIPAA is concerned with what health information must be protected and defining that defines PHI.
The exact same information can be held by two different companies, yet only one of those companies is obligated to protect it.
I disagree.

You need to have a definition of health information that falls under HIPAA. That definition is PHI because it’s literally Protected by HIPAA.

Calling any health information “PHI” bakes in bad assumptions by both parties.

The data my phone gathers on me is the same data my doctor might. It’s PHI when my doctor generates and stores that data. It’s not when I do it. This is a good distinction.

The way I see it, while the distinction you describe is correct, there's a reasonable desire that this distinction should not exist and if some app on your phone collects private health data then that data should get the same protections as if your doctor collected it; and if the app developer wants to store and process that data then they'd better be able to comply with HIPAA-like requirements or stop handling sensitive data. It's not like it currently is, but we can try and get there.
this is not the legal definition of PHI in HIPAA
I think it's still incorrect to disregard the entity. HIPAA only creates privacy obligations to Covered Entities and Business Associates.

It doesn't apply obligations to all people who might receive Protected Health Information.

If a hospital makes an error, and emails the medical charts for a public figure to a journalist, the journalist has no obligations under HIPAA. They would be free to publish the information, to store it without privacy safeguards, etc.

The data remains PHI, but the journalist is not required to follow the HIPAA privacy rule. Though, I again think it would generally be better if the voluntarily did so.

By my (again, also a non-lawyer understanding) the privacy rule is a venn diagram that only applies if:

- You are a Covered Entity or Business Associate, AND - The data being handled is Protected Health Information

(comment deleted)
No. If you are not a covered entity or business associate, that is not correct
If HIPAA compliance is difficult enough to come up with something like this, you have bigger problems.

There are very challenging compliance frameworks. HIPAA isn’t one of them.

Hipaa is very vague, which can make it extremely challenging.
> If HIPAA compliance is difficult enough to come up with something like this, you have bigger problems.

I’m a bit confused. I was just giving a hypothetical product (I’ve seen similar on the market), that I can guess with high probability has not implemented protocols that I would consider proper for HIPAA.

So, maybe my SAT comprehension is abysmally low... I’m not sure what you’re saying there.

PCI compliance is a little different as it’s an industry standard and not a legal standard. Far less fear of prison time if you mess it up. That said it’s still way better to outsource all that worry.
I'd say the first step is "Is this data even the kind where HIPAA compliance might be required?"

The number of people I know who conflate "human subjects data" and "HIPAA data" is staggering.

The idea that you should inspect your systems for risk and then mitigate that risk should not be considered onerous.

The idea that you should protect your Grandma’s healthcare data and encrypt it should not be considered onerous.

If software development was actually “real” engineering, we’d have no need for HIPAA and something as obvious as its risk management statute.

HIPAA is what happens when the tech industry acts irresponsibly and fails to police itself. We continue to choose features over security/maintenance.

This is how every discipline evolves.

Do you think building codes and fire codes were thought up out of thin air?

Do you think the FDA came into existence just because?

The SEC was created in 1933, as direct result of the Great Depression. Dodd-Frank and CFPB were a direct result of the 2008 financial crisis.

Every discipline starts out without regulation, until it inflicts some injury upon society that motivates the creation of regulation, which then often calcifies the industry and creates barriers for new entrants. The difference with data is just that we happen to be alive to see that transformation taking place.

Yup, people should follow the "rules" even if they don't actually apply to them. Confidential personal information should be kept confidential short of a legal compulsion to divulge it.

Over my decades in IT I've seen plenty of things by accident (and once, not-accident. A guy was getting a lot of gay "spam" and wanted me to stop it. I went along with the cover story, knowing perfectly well it was message digests from a forum he had to have signed up for.) None of it gets repeated other than anonymized.

HIPPA is going to lead to a lot of deaths, but you'll never be able to prove it. If Doctors and Nurses aren't allowed to hear about patients after they transition to another floor, department, facility, how are they supposed to have the feedback required to improve the standards of care?

ER staff used to keep tabs on their patients with other staff, to see how they were doing, and now they aren't allowed to do so. It's the road to hell paved with good intentions.

Citations would be helpful for such a claim. I work with HIPAA daily, and while I agree that it has a lot of problems, the one you identify here would be an issue of misguided hospital policy. The hospitals would be absolutely within their rights to allow care teams to follow up with patients as they transition.

Now I could easily imagine HIPAA being used as a scapegoat for a set of restrictive policies that are actually being driven by other incentives.

I said at the outset it could never be proven. There will never be anything to cite, just a continuing trend towards mediocre medical practice in the USA.

I'm not a medical person, but have had family in that role. They couldn't comment on it, but I sure can.

Informal discussion of patients has been stopped. The feedback channels that allow for discovery of subtle problems and their solutions have been removed.

ER staff used to visit their patients, and keep in touch with them, this stopped with HIPPA. This is dehumanizing.

Imagine if developers weren't ever allowed to discuss bugs in their programs, unless they were actively working on the same bug? Think of how much that would kill productivity.

What if we weren't allowed to discuss any software or OS we currently don't have a license to use? That's about how strict HIPPA is when it comes to discussing patients, at least as implemented by Hospitals.

It is far far safer for them to shut all talk about patients down, in terms of patient satisfaction, lawyers, lawsuits and fines.

Unless you work in a hospital and experience the rules first hand I suggest you remember what you were taught in kindergarten, do repeat things you’ve been told because they might not be true.

I work in a hospital and I’ve never seen anything remotely like what you described. Our hospital has some of the most sophisticated monitoring systems available for inappropriate patient information access.

I think you missed a rather crucial "not" in that first paragraph.
If you see a patient in the ER, and something you did causes an effect a week later, how does your facility enable to you learn about it?
You don't have experience with HIPAA, and what you're describing is not at all true.

> Informal discussion of patients has been stopped. The feedback channels that allow for discovery of subtle problems and their solutions have been removed.

No way. I work with hospitals, there are plenty of feedback channels and cases get discussed at length. HIPAA does nothing at all to stop any communication or data sharing that is beneficial for patient safety.

> ER staff used to visit their patients, and keep in touch with them, this stopped with HIPPA. This is dehumanizing.

This is not at all true.

> Imagine if developers weren't ever allowed to discuss bugs in their programs, unless they were actively working on the same bug? Think of how much that would kill productivity.

Hospitals literally do these kinds of debriefs all the time. HIPAA does nothing to stop them at all.

> It is far far safer for them to shut all talk about patients down, in terms of patient satisfaction, lawyers, lawsuits and fines.

You totally misunderstood HIPAA, what it regulates, and how it regulates. It in no way shuts down conversations about patients. I deal with HIPAA-protected data and compliance all the time, I have no idea where you got this impression, but it was not from a doctor.

I'm glad that Doctors get to find out about outcomes of patients long after they've been handed off.. the strong impression I got indicated otherwise.
Man, I'm glad others are dragging you here, but HIPAA, pay attention here, SPECIFICALLY CARVES OUT INFORMATION SHARING IN THE CLINICAL ENVIRONMENT BY PRACTIONERS.

It SPECIFICALLY calls out that practitioners are allowed to describe in detail the medically relevant information of their patient to other people in the course of providing healthcare. This is NOT what HIPAA prevents, and to say otherwise is to completely understand both its stated intent AND how it's practically implemented in the field.

If you are a boarder patient (in a gurney in the hallway because there are no rooms available), a nurse or doctor IS ALLOWED to ask you questions, document your answers, and discuss your case in said hallway.

Informal discussions still happen ALL THE TIME, but practitioners use a room number rather than a patient's name, and because that information isn't personally identifiable, it's HIPAA compliant.

ER staff... still visit their patients. What on earth are you even talking about? Doctors and nurses round, they chart, they discuss and plan with one another. They communicate freely.

While there have absolutely been rare cases where information hasn't been shared as timely as it should have been (when, say, a requesting facility was foreign to another facility, and so data sharing was limited, wrongly, in the name of HIPAA), the positives of the law, which STOP a facility from just publishing your health data, or more importantly, prevent your health insurance company from broadcasting your data or selling it or using it for marketing purposes, is positive.

Patients should be able to receive quality healthcare without concern that their personal health history will be made public. HIPAA prevents the sharing of a patient's diagnosis or medical data without that patient's permission, which is how it should be.

But in terms of clinical outcomes, the hospitals still work. The nursing staff still works. And everyone knows damn sure they shouldn't be discussing a patient's name outside of work, or posting a case on the 'gram.

>ER staff... still visit their patients.

Everyone shares information about their active patients... but nobody can follow up or share information on former patients anymore. It's an ER specific corner case I'm worried about, as they tend to see patients actively for a short amount of time, then are shut out of their lives by HIPPA.

>or posting a case on the 'gram. There is a chilling effect on the discussion of interesting cases via social media in general... nobody wants to get fired in this atmosphere of fear. I agree that patients should have their privacy, but the pendulum has swung a bit too far.

There’s a whole lot of yelling in this thread and, so far, zero legal citations. I won’t believe anyone here knows what they’re talking about unless they can prove it.
The issue you raise is the opposite of what the day to day concerns are.

Clinical systems, in general, are much too permissive and allow too much access to too many people.

There's absolutely nothing in HIPAA that prevents coordination of care or cross functional team communication.

HIPAA is actually a very well written law, and very reasonable.

It says things like, you can't use an EHR to mine patient data for marketing purposes.

You have to take privacy seriously and build safeguards.

You have to document that you did that.

You have to do risk analysis, and document breaches, and follow notification protocols.

I'm a former HITRUST auditor, and CTO of healthcare company. I've been deeply involved with this law for many years, and to date, I haven't found any part of it that I disagree with.

That has nothing at all to do with HIPAA. The standards of care in many hospitals are really awful, but incompetence isn’t correlated with overly aggressive information policy.
I worked with HIPAA and am married to a physician. What he claimed isn't possible is entirely possible.

You are allowed to follow patient. You are allowed to track outcomes.

If a patient isn't actually in actually in your care, there are HIPAA defined means for reviewing cases for quality control.

HIPAA specifically states that provider to provider disclosure of PHI does not require patient consent.
And on the opposite side, I would love it if I could have hospitals destroy all my records as soon as I leave, because I value my privacy more than their fetishist interest in collecting information that would put google to shame.

After trying in vain, I've realized it's fighting windmills on an uphill battle, an I just do medical tourism. No records, paid in cash, in a different country each time

Hospitals wish they could destroy your data as well, state laws dictate that hospitals and doctors retain the data, in some states for as long as 15 years.

Hospitals would love to treat you as new patient every time through the door, that way it’s your responsibility to inform them of everything and anything that might impact care, it would eliminate a ton of liability for the hospital.

Start writing you state government officials and get your laws changed.

If worked for a social networking company, and I work for a hospital, you are a fool if you think hospitals have more data. At the social networking company we knew about all you health issues, we knew about your affairs, your spouses affairs, everything you’ve bought in the last 10 years, we knew if your children were actually yours, everything your children were up to, we ankles to n all your text messages, all those years their chatting you platforms, we had reciprocal agreements with them all. We knew everything you ever searched for, every porn site you visited, all your fetish’s, how much you made, your bank amounts. EVERYTHING.

> Start writing you state government officials and get your laws changed.

I'm lazy. I travel instead. Medical tourism gives me higher quality healthcare.

> EVERYTHING

You wish. I use tor and have had no social network presence for over 10 years.

Differential diagnosis is a valuable medical technique... and you want to eliminate all possible baseline information.
Yes, my privacy comes before everything, including my health.

When your medical records are leaked (only a question of time) you can't say you weren't warned.

This comment demonstrates a lack of understanding of HIPAA.

All of what you described is allowed under HIPAA. It happens every day.

This is a very misinformed comment. I suggest you talk to pretty much anyone who works in healthcare before fabricating rhetoric about how the system works.
This thread represents a failure to communicate, please allow me to restate and clarify.

I followed up with my unnamed family who are in the medical world, to see if I was wrong (as the comments here so loudly proclaimed). I was told that I was generally correct and they shared my concern.

It appears I didn't express myself clearly enough, and other people weren't charitable enough in their reading of what I said to allow the benefit of the doubt.

I'll restate things, now that I've seen a day worth of feedback, as I'm interested in the truth, and not being right, I hope you'll allow this.

My observation is that the behavior of my family members has changed because of HIPPA.

Long term follow up of former patients, seems to have been completely shut down by HIPPA and the way the medical industrial complex interpreted it.

Informal learning of interesting cases (corner cases) seems to be another victim of HIPPA.

As a patient, I value privacy. I am concerned that the proverbial pendulum has swung too far, and we are cutting off a valuable (out of band signaling) mechanism for improving the practice of medicine.

Did I explain it better this time? What could I have stated differently, or more explicitly?

Thank you all for your time and attention.

Tangential, but since Signal doesn’t store user data, does that make it HIPAA compliant by default?
I'd recommend reading through the guide (at least the first part) for a better understanding but in short no.

Signal without a Business Associate agreement to handle PHI would be either be considered limited/incidental or as a conduit and not on the hook for PHI data going through them incidentally the risk would stay with the entities using it not Signal itself (and certainly not absolved).

Secondly it doesn't matter if data was only "in flight" when leaked and not stored. I.e. the availability of the protected information is what is regulated.

Thirdly Signal DOES store user data for up to quite a long time as it proxies the delivery of messages, just in an encrypted form (a plus for meeting requirements though) it's not supposed to be able to read and supposedly deletes it after it no longer needs to hold onto it.

Finally if someone hacked the Signal servers and a bug in the encryption was found or you forgot to check the conversation verification code and were being MITMd then it's still a violation anyways. That is you're good until you aren't - the encryption only protects you while it worked not because you tried (though if it is found you didn't have any encryption on some data that in itself is a fineable offense).

Adding to zamadatix's excellent points - it falls under the HIPAA Conduit Exception, which includes encrypted email and the US Postal Service, through which a healthcare provider can send PII with a reasonable expectation that the messages won't be intercepted in transit.
I use to work for a Medical Simulation company and they wanted to get into the Hospital data business for sepsis. I had to get HIPPA Certified before I could even get access to the databases of the “unidentifiable” information. Having the certification was more of a burden than useful. There’s no such thing as unidentifiable hospital data. Instead of finding a connection to sepsis I found certain hospitals were ordering unneeded, or atypical, procedures which had resulted in a much lower fatality rate from sepsis. The project went nowhere and insurance companies weren’t interested in saving lives.
There's also not such a thing as "HIPPA Certified" and anyway it's "HIPAA". Do you mean you got some sort of training in how HIPAA privacy and security rules apply to you?
There is(was?); this was in 2014/15. I don’t remember exactly why it was called. It was a hipaa data security certification. I sat in a weekend class and got a cert that was required by the 3 hospital data companies we were working with in the Denver/Colorado Springs area.
But who provided the cert? Was it the US government or was it some 3rd-party profiting off HIPAA-confusion?
The hospital is well within their right to request a 3rd party certification as a proxy for their evaluating a potential business associate before exchanging information, since as a covered entity they can be held liable for something that happens to the information they divulge.
It seems like they're advertising their vault service for healthcare data. They then offer a disclaimer that they are not lawyers. How can you offer advice for such a risky area and then not stand behind it? Is your service also not verified by lawyers?

It seems like a marketing piece with the intention of showing off their product, but I found that part to be odd.

> Is your service also not verified by lawyers

This is exceedingly common w/ service providers in the HIPAA compliance space. They want the benefit of sounding like an expert while washing their hands of any consequence if/when they have made a mistake.

The lawyers would have insisted on a disclaimer like that. The problem is that true legal advice as opposed to information or guidance - a judgment that suchandsuch solution fulfills your specific legal obligations in suchandsuch scenario - can’t ethically be given by lawyers without personal consultation and can’t legally be given by non-lawyers at all.
This is standard, and doesn't mean they aren't standing behind their work.

If you ever see "legal advice" (in the loosest sense of the term) being given in online forums, like /r/LegalAdvice, the phrase you see the most is IANAL[0] – "I am not a lawyer." By actual lawyers, you usually see the variant "I am not your lawyer."

Being my lawyer means I have cilent-lawyer confidentiality and other privileges. But you commenting online, or writing a github repo, doesn't meet that standard. This might seem very obvious to you, but unfortunately I've seen people get this wrong a bunch. It's a component of ensuring we protect everyone's rights.

Essentially if you used that project and got in legal hot water, and then said, "but hey, I got legal advice from this github repo", well if they were lawyers they could lose their license. This is drilled into them as ethical behaviour. Getting it wrong comes with risk, and there's no benefit.

A lawyer is only going to give you advice once you're actually their client, have signed an engagement letter or similar, and most importantly they understand the facts of the case. Legal advice is case-specific, and giving general advice leads to wrong advice, which gets people in trouble.

[0] https://en.wikipedia.org/wiki/IANAL

https://en.wikipedia.org/wiki/Practice_of_law#Unauthorized_p...

HIPAA is the lowest bar for healthcare now.

Most multi-hospital health systems won't even look at you without a SOC2 / HiTrust, combined with frequent security audits & pen tests.