HIPAA Privacy Rules and High Tech Services
Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process. The article was not favorable and also interesting.
The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon. After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon. The customer found out about it when her physician called her saying he had seen it.
When the buyer contacted Amazon, she was told they would investigate. She later received an email from Amazon saying that they would not release the outcome of the investigation.
So the lady reached out to her local NBC TV affiliate. It is amazing what a little bad PR can do. The TV station contacted the Amazon vendor and they apologized and said they would fix the problem. The TV station confirmed that the offending material was removed.
But this post is not about health jewelry.
It is to clear up a possible misunderstanding on the part of the average consumer.
While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.
For consumers that use apps and other tech products there is an important lesson here.
Amazon does *NOT* have a HIPAA problem.
In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA. Covered entities include organizations like doctors, hospitals and insurance companies. Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.
That means that they have no HIPAA requirement to protect your personal information.
They *MAY* have a requirement to protect it under state law in your state, but they also may not. This depends on the particular law in your state. In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.
It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.
This also includes Apple, Google and any app that is available on either the Apple or Android stores. Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.
So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.
It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data. Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws. This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA. it is, but only under certain circumstances. The net effect is that it MAY BE perfectly legal to sell your health care information.
If anyone thinks differently, please post a reply and I will publish it.
Information for this post came from Health IT Security.