@MATAK79 I wonder if this is related to that recent unscrupulous project that was advertising to buy secret recordings of therapy sessions. It was obviously for AI scraping purposes.

@_L1vY_ oh wow didn’t even know that happened. I did read something about better help or another of those online therapy things sharing data though. My doc suggested them and I said hell no.

@MATAK79@stranger.social @_L1vY_@mstdn.social

You told your doctor
why you said "hell no"? Not every doctor that recommends a given service knows about some services' fuckery.

@ferricoxide @_L1vY_ for future reference essentially hippa laws don’t apply to the internet or all of the internet? Look it up but there’s something there for sure.

@MATAK79 @ferricoxide HIPAA applies to any provider or their organization about releasing ANY patient information to anyone else, without express written consent of the patient. It doesn't matter what format or platform.

@MATAK79 @ferricoxide If you didn't consent to release it in writing, no one should have it

Follow

@_L1vY_ @MATAK79 @ferricoxide

Mother Bones is right -- yet a quick example. Here ( qoto.org/@reederm/112379606480 ) I posted about my own complaint I filed against CVS Pharmacy for what looked to me like a clear HIPAA violation.

I got my official reply to my HHS Office of Civil Rights complaint of 5/3/24 against CVS for violating HIPAA regulations. The minor and rather impressive miracle here is that I got a signed letter from an attorney in only 17 days with relevant regulations and interpretations attached. Good so far.

The result was that they are not going to pursue a formal complaint -- instead they are going to "resolve this matter informally through the provision of technical assistance to CVS."

HHS OCR points out that "a covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.... Further, under the Security Rule, with certain exceptions, the use of encryption is addressable; i.e., not mandatory." [red emphasis mine]

HHS further states under Reasonable Safeguards that "It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business."

If HHS OCR actually in fact offers this technical assistance in a meaningful way, that WOULD satisfy my complaint -- not that anyone is asking me. This was almost certainly a stupid screw-up by someone in CVS Info Tech programming the canned computer "after visit summary" process to send out way too much information in unencrypted format to people who received a COVID booster at a CVS. If CVS STOPS doing this, I'm good.

To recap -- I received an after-visit summary not only listing what COVID booster med I received, but also my DOB, home address, and all the answers to my screening questionnaire including my answers to whether or not I have ever had a seizure, a bleeding disorder, am currently pregnant, am immunocompromised (including from cancer), have a history of myocarditis, and many other questions.

I will waste my time writing HHS OCR back to thank them and to remind them that to the best of my knowledge I never signed a release for disclosure (which apparently has no legal bearing here?), and that in this new age of AI every major tech company is incorporating AI into EVERYTHING. If I had a Gmail account, Google would have all my medical information from this CVS after visit summary email and likely be utilizing AI to monetize it in some way.

ADDENDUM TO ABOVE: My wife later got a COVID booster and the online fine-print did refer to a consent to email you PHI if you give them your email address. This was in boilerplate of course. If you did not give them your email address, you would instead have to give them a phone number to text you at. I'm real curious to see what they may have texted her in an after-visit summary! Any knowledgeable provider knows not to needlessly send out PHI if not requested even if there is a boilerplate release somewhere. HHS OCR did not even address the issue of a release when finding no significant violation here.

@reederm@qoto.org @_L1vY_@mstdn.social @MATAK79@stranger.social

Nice to see that PCI-DSS is more stringent about data protection. But, I guess that's protecting actual money rather than merely privacy.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.