Comment by SapporoChris

IANAL, but I work in healthcare, and a portion of my work is trying to ensure obligations under HIPAA are met.

> HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers.

No? I can practically quote the law directly here, though it is a bit dense:

> A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.

I.e., the privacy of your, the patient's PHI is protected.

That's a privacy regulation, and it is talking about and protecting the privacy of patient data, not provider's, etc.

> HIPAA is designed to make it maximally difficult to move PHI from one provider to the next.

It does no such thing. But [1].

> HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers.

Plaintiffs can divulge their own PHI directly to lawyers. Otherwise, no, lawyers don't get to access random people's PHI … but that's directly because the privacy of that PHI is protected. Further, one of the exceptions to HIPAA's protections is judicial order … so if plaintiffs can get a judge to agree, they can get a limited window into people's PHI. But … no, they don't just get to see?

> HIPAA is a stepping-stone to single-payer insurance.

… clearly not, or where is it?

> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.

People: you're always permitted to divulge whatever you want, to whomever you want, about your own PHI. But no, a doctor cannot divulge PHI to, e.g., an adult's parents without authorization. Again, this is to protect the patient's privacy: for example, so that a woman can keep something medically private from her husband if she chooses, or an (adult) patient can not have nosy parents learning things that are not their business, etc.

(Parents/guardians of non-adult children are treated differently, of course. There are other exceptions, and exceptions to the exceptions, but generally, they follow pretty common sense lines.)

Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.

And … you know this:

> unless an ROI is on file.

(An ROI is a "release of information", for others.) Yes, if you consent, then your PHI can be divulged. This is like the very definition of patient privacy.

> Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.

This isn't true, either; I've had providers ask for ROIs, and nothing prevents a provider from taking initiative. (Perhaps you need a better provider.) Yes, to a large extent, you must own your own outcome in American healthcare, but I think this is more a function of other failing in HC than HIPAA.

Also, … yes, ROIs are scoped: they're only good for a specific instance of releasing information, i.e., they're not carte blanche to the provider to release your information to the world. Again, that's a privacy protection.

In the specific case covered by TFA, upstream is right: it is unfortunate that marketplaces might not be covered entities, and probably should be. This would be a common sense update to the law, so call your congressperson. Were they, HIPAA prohibits what occurred here, and other covered entities have been fined for exactly this type of error/behavior. I.e., HIPAA has prior examples of preventing exactly the badness here!

[1] I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent. I'd say this is more a function of providers not adhering to standards like they ought to; I've seen precious little use of FHIR (for others: standardized format for HC data) in my time in the industry, and the state of tech for inter-provider transfers is such that most providers probably do find it easier to just recollect the data they need. Heck, even within a provider, I've witnessed struggles to transfer data.

The other person who replied to you is much more accurate.

> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.

If I am a provider (and I am, or have been) of yours, I can get information from other providers on the care they've provided you. In fact, as appropriate, I can get it without your permission or consent (particularly useful in situations of pill-seeking, or mental health, but other situations too, that I encountered as a paramedic).

While many providers will get you to sign paperwork consenting to this, it is mostly CYA.