Comment by jlokier
5 months ago
Where I live, which is not in the USA, I'm confident my doctor's office doesn't sell their contact list - or at least, not without statistical anonymisation and aggregation for research purposes.
They probably outsource processing the data and storing it to other entities, but that will be under contracts which govern how the data may be used and handled. I assume that's not what "sell the data" means in this conversation.
It would be such an egregious violation of local data protection law to sell patient personal details for unrestricted commercial use, including their contact info, and it would make the political news where I live if they were found out.
Here in NL my local doctors office just delegates their IT to some US-based company. I doubt they take privacy seriously. Their whole security is a joke. but they make a theatre out of it to give an impression otherwise.
EU law means little in this respect, since it's not enforced and most people don't understand enough on the subject to even evaluate what's going on with their data (or their clients data).
Also "not in the USA" i actually work on a medical ish application these days (not the in production version, mind but a fork with new features that's entirely separate at the moment).
I have access to ... zero patient data. Our entire test database is synthetic records.