TIL - HIPAA doesn't protect data from being shared between organizations without consent
It obviously protects against sharing data with e.g. your employer, but if a health provider chooses to make your data shareable, there are 2.2M authorized entities that can potentially access the data (identifiable health data).
Excerpt of the video description:
Most people think that HIPAA means that their medical records are kept private. But what if I told you that HIPAA doesn’t protect your privacy at all?
This is our first video in a series about medical privacy, specifically looking at legislation that stripped individuals of the right to consent to medical data sharing.
We focus on what HIPAA actually is, how it came to allow our data to be shared without us even knowing, how we’ve been tricked into thinking we have privacy, and steps we can take to reclaim control of our medical data.
00:00 The State of Medical Privacy is a Mess
02:29 What is HIPAA
07:39 How Your Data is Shared
12:10 The Illusion of Privacy
14:48 What Can We Do
22:16 We Deserve Medical Privacy
We deserve privacy in our medical system. Our health information is sensitive, and we should be allowed to protect it. Even while we fight for better medical privacy, please always prioritize your health.
Special Thanks to: Twila Brase, Rob Frommer, and Keith Smith for chatting to us!
Having permission to access to the HIPAA-protected dataset is only the first hurdle. You also need a medically valid or claim processing reason to look at individual patient records within that dataset. People have gotten into trouble by not respecting this. Doctors and other providers are not going to just poke around in the data for fun. Too little to gain for too much risk.
HIPAA is far from perfect, but it does do a decent job of protecting data at rest and in transit. If a bad actor like a hacker manages to get a copy of it, the sensitive stuff will be encrypted.
We handle HIPAA data at my job, and we all take it very seriously. There's annual training required, and a reporting process for violations. Nobody is looking at anything unless they really need to.
Large corporate health insurance providers are another problem. They of course do have access to it, and I am sure they abuse the privilege for data mining and scheming on claims denial strategies and so on. But that's a political and enforcement issue not an issue with HIPAA itself. They are violating HIPAA and getting away with it because they are a powerful lobby.
“Health care operations” are certain administrative, financial, legal, and quality
improvement activities of a covered entity that are necessary to run its business
and to support the core functions of treatment and payment. These activities,
which are limited to the activities listed in the definition of “health care
operations” at 45 CFR 164.501, include:
< Conducting quality assessment and improvement activities, population-
based activities relating to improving health or reducing health care costs,
and case management and care coordination;
< Reviewing the competence or qualifications of health care professionals,
evaluating provider and health plan performance, training health care and
non-health care professionals, accreditation, certification, licensing, or
credentialing activities;
< Underwriting and other activities relating to the creation, renewal, or
replacement of a contract of health insurance or health benefits, and
ceding, securing, or placing a contract for reinsurance of risk relating to
health care claims;
< Conducting or arranging for medical review, legal, and auditing services,
including fraud and abuse detection and compliance programs;
Business planning and development, such as conducting cost-management
and planning analyses related to managing and operating the entity; and
Business management and general administrative activities, including
those related to implementing and complying with the Privacy Rule and
other Administrative Simplification Rules, customer service, resolution of
internal grievances, sale or transfer of assets, creating de-identified health
information or a limited data set, and fundraising for the benefit of the
covered entity.
Is that the first hurdle you were mentioning?
I'm just trying to understand where is the restriction of the second hurdle if in 164.506 it says an entity can use the data:
"Use or disclose protected health information for its own treatment, payment, and
health care operations activities"
Trying to understand the distinction add have another TIL moment, not aeguing against the comment
I mean to a degree this makes sense. It might very much be medically required to share such data.
How to, for example, prosecute a doctor for quackery if you cannot get access to the cases they worked on? So for oversight, someone overseeing it needs to be able to know drtaiks about the cases, too.
I’ve always taken HIPAA as a compliance standard to protect health data from fraud, theft, etc., and not as a privacy standard. So its focus is more on security than privacy.
I'm not watching the whole video series because I'm no longer paid to sit through "continuing education" lol.
But, while the title of the post is misleading, hipaa was never meant to improve privacy, and when it was originally passed, anyone paying attention to the news knew that. The idea that it's a law intended to do something about privacy as a primary goal came later.
And, in day to day levels, it was actually an improvement over the lack of privacy that existed before it. Where it fails is in privacy protections from the government itself, and from insurance corporations. But it wasn't really designed for that, despite people somehow coming to believe it did.
But for the average person? It made it much harder for you or me to access someone else's records, and slightly reduced exposure of records overall.
Now, again, this isn't based on the videos, only the title of the post. The title is inaccurate and misleading, though I hope that people do look into what hipaa does and doesn't do for them because of the title.
Changed the title, not sure how to balance "meant to make it easier to share between organizations (gov included)" and the misconception thay it is a privacy oriented regulation