3 comments

[ 2.3 ms ] story [ 18.6 ms ] thread
I had a video call with my health care provider (HCP) this morning. The HCP asked for the username and password of my account on Tandem's t:connect system so that they could look at the data emitted by my medical device and stored in Tandem's tconnect system. Tandem's manual for the HCP portal instructs HCP's to do this (#3 under "if patient and pump are at a different location").

"Enter your patient’s username and password ( C ) and confirm that the patient has given you consent to access their device data as described in the authorization disclosure."

I thought this was a HIPAA violation? It seems like an audit flag if nothing else since it implies that all transmission and storage of the patient credentials is then an attack vector. Surely, it's not enough for the vendor to just claim that "patient credentials are to be deleted upon receipt" or similar and be free from regulation under HIPAA?

Of course, I declined as I didn't want my credentials circulated in this fashion.

There is nothing in the HIPAA law or regulations which specifically bans this behavior by healthcare providers and device vendors. It's bad practice from a security and privacy standpoint, but not illegal.
....Ummmm.

That's fairly arse backwards. But okay lets go ahead and trace this out then.

If they want you to share your credentials, they are probably aggregating all data on a machine by machine basis, and access controlling only through the customer. If that is the case, that suggests, not guarantees, but suggests, that they aren't providing auditing in terms of who accessed what data, and why, which is generally part and parcel of what someone is on the hook for. Technically speaking, the spirit of the law is that access of information should be discernable down to a unique individual. One person, one user. Credential sharing nukes that. In fact, it IS in a sense illegal, or at least non-compliant, because they cannot discern whether or not your information has been leaked without authorization. Which is half the onus put on a covered entity.

So I'm going to guess they are not integrated with HCP's, nor are they implementing an access control mechanism whereby users can grant HCP's access to their data tracked in their systems and ACK'd to an HCP and possibly the insurer.

I'd have to emit a WTF are they doing? Tbqh. However, I'd need access to proprietary docs to make any really authoritative statements, because they could be arranging their affairs in a way I haven't been exposed to before.

T. done the HIPAA jig more than once