While I wish it was a HIPAA violation, I am not sure it qualifies.
"The HIPAA standards apply to covered entities and business associates “where provided” by §160.102. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards"
https://www.hipaajournal.com/what-is-a-hipaa-violation/#what...
Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
HIPAA is not designed to protect consumer or patient privacy. That is a silly fiction that voters and constituents believe in order to prop up the legislation.
HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers. HIPAA is designed to make it maximally difficult to move PHI from one provider to the next. HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers. HIPAA is a stepping-stone to single-payer insurance.
HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care. No entity under HIPAA can legally divulge the slightest tidbit to your brother, your parents, or anyone who contacts them, unless an ROI is on file. Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
Two reasons: The marketplace is not a covered entity (it doesn’t provide healthcare or process transactions), and the information is not a medical record (it’s typed in by the user, not generated by a healthcare provider).
However, California has its own more general privacy law about using medical information for marketing purposes.
So if I fill out my medical record form at the doctors office its not a medical record because me the user filled it out before handing it over the front desk?
Because you filled it out in the context of interacting with a medical provider, then gave it to them for their records, that is a medical record. (Just like a conversation with your doctor about your history would be.)
If you filled out the same form just to keep in your desk drawer for your family’s reference, it would not be. Also, if you ask for a copy of your record, as soon as you take personal possession of it, HIPAA no longer cares about it, because you aren’t a covered entity.
(Source: I founded a startup that spent a lot of money on attorneys to confirm this.)
Filling out forms at the doctor's office is one way they trick you into authorizing them to sell your data and no matter how careful you are about it you can still end up having your data sold. https://www.statnews.com/2023/04/07/medical-data-privacy-phr...
While I wish it was a HIPAA violation, I am not sure it qualifies. "The HIPAA standards apply to covered entities and business associates “where provided” by §160.102. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards" https://www.hipaajournal.com/what-is-a-hipaa-violation/#what...
Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
However, it may violate the state's Electronic Communication Privacy Act.
https://calmatters.org/health/2025/05/covered-california-lin...
the state will do an investigation on itself and find no wrongdoing
Sounds like HIPAA needs some adjustments made to cover marketplaces.
HIPAA is not designed to protect consumer or patient privacy. That is a silly fiction that voters and constituents believe in order to prop up the legislation.
HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers. HIPAA is designed to make it maximally difficult to move PHI from one provider to the next. HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers. HIPAA is a stepping-stone to single-payer insurance.
HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care. No entity under HIPAA can legally divulge the slightest tidbit to your brother, your parents, or anyone who contacts them, unless an ROI is on file. Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
4 replies →
Two reasons: The marketplace is not a covered entity (it doesn’t provide healthcare or process transactions), and the information is not a medical record (it’s typed in by the user, not generated by a healthcare provider).
However, California has its own more general privacy law about using medical information for marketing purposes.
So if I fill out my medical record form at the doctors office its not a medical record because me the user filled it out before handing it over the front desk?
Because you filled it out in the context of interacting with a medical provider, then gave it to them for their records, that is a medical record. (Just like a conversation with your doctor about your history would be.)
If you filled out the same form just to keep in your desk drawer for your family’s reference, it would not be. Also, if you ask for a copy of your record, as soon as you take personal possession of it, HIPAA no longer cares about it, because you aren’t a covered entity.
(Source: I founded a startup that spent a lot of money on attorneys to confirm this.)
Filling out forms at the doctor's office is one way they trick you into authorizing them to sell your data and no matter how careful you are about it you can still end up having your data sold. https://www.statnews.com/2023/04/07/medical-data-privacy-phr...
Who says it's not? It looks like a HIPAA violation to me.
[dead]