Mother Bones is right -- yet a quick example. Here ( https://qoto.org/@reederm/112379606480529835 ) I posted about my own complaint I filed against CVS Pharmacy for what looked to me like a clear HIPAA violation.
I got my official reply to my HHS Office of Civil Rights complaint of 5/3/24 against CVS for violating HIPAA regulations. The minor and rather impressive miracle here is that I got a signed letter from an attorney in only 17 days with relevant regulations and interpretations attached. Good so far.
The result was that they are not going to pursue a formal complaint -- instead they are going to "resolve this matter informally through the provision of technical assistance to CVS."
HHS OCR points out that "a covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.... Further, under the Security Rule, with certain exceptions, the use of encryption is addressable; i.e., not mandatory." [red emphasis mine]
HHS further states under Reasonable Safeguards that "It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business."
If HHS OCR actually in fact offers this technical assistance in a meaningful way, that WOULD satisfy my complaint -- not that anyone is asking me. This was almost certainly a stupid screw-up by someone in CVS Info Tech programming the canned computer "after visit summary" process to send out way too much information in unencrypted format to people who received a COVID booster at a CVS. If CVS STOPS doing this, I'm good.
To recap -- I received an after-visit summary not only listing what COVID booster med I received, but also my DOB, home address, and all the answers to my screening questionnaire including my answers to whether or not I have ever had a seizure, a bleeding disorder, am currently pregnant, am immunocompromised (including from cancer), have a history of myocarditis, and many other questions.
I will waste my time writing HHS OCR back to thank them and to remind them that to the best of my knowledge I never signed a release for disclosure (which apparently has no legal bearing here?), and that in this new age of AI every major tech company is incorporating AI into EVERYTHING. If I had a Gmail account, Google would have all my medical information from this CVS after visit summary email and likely be utilizing AI to monetize it in some way.
ADDENDUM TO ABOVE: My wife later got a COVID booster and the online fine-print did refer to a consent to email you PHI if you give them your email address. This was in boilerplate of course. If you did not give them your email address, you would instead have to give them a phone number to text you at. I'm real curious to see what they may have texted her in an after-visit summary! Any knowledgeable provider knows not to needlessly send out PHI if not requested even if there is a boilerplate release somewhere. HHS OCR did not even address the issue of a release when finding no significant violation here.