← Back to context

Comment by AStonesThrow

19 hours ago

HIPAA is not designed to protect consumer or patient privacy. That is a silly fiction that voters and constituents believe in order to prop up the legislation.

HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers. HIPAA is designed to make it maximally difficult to move PHI from one provider to the next. HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers. HIPAA is a stepping-stone to single-payer insurance.

HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care. No entity under HIPAA can legally divulge the slightest tidbit to your brother, your parents, or anyone who contacts them, unless an ROI is on file. Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.

4 comments

AStonesThrow

Reply
deathanatos  15 hours ago

IANAL, but I work in healthcare, and a portion of my work is trying to ensure obligations under HIPAA are met.

> HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers.

No? I can practically quote the law directly here, though it is a bit dense:

> A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.

I.e., the privacy of your, the patient's PHI is protected.

That's a privacy regulation, and it is talking about and protecting the privacy of patient data, not provider's, etc.

> HIPAA is designed to make it maximally difficult to move PHI from one provider to the next.

It does no such thing. But [1].

> HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers.

Plaintiffs can divulge their own PHI directly to lawyers. Otherwise, no, lawyers don't get to access random people's PHI … but that's directly because the privacy of that PHI is protected. Further, one of the exceptions to HIPAA's protections is judicial order … so if plaintiffs can get a judge to agree, they can get a limited window into people's PHI. But … no, they don't just get to see?

> HIPAA is a stepping-stone to single-payer insurance.

… clearly not, or where is it?

> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.

People: you're always permitted to divulge whatever you want, to whomever you want, about your own PHI. But no, a doctor cannot divulge PHI to, e.g., an adult's parents without authorization. Again, this is to protect the patient's privacy: for example, so that a woman can keep something medically private from her husband if she chooses, or an (adult) patient can not have nosy parents learning things that are not their business, etc.

(Parents/guardians of non-adult children are treated differently, of course. There are other exceptions, and exceptions to the exceptions, but generally, they follow pretty common sense lines.)

Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.

And … you know this:

> unless an ROI is on file.

(An ROI is a "release of information", for others.) Yes, if you consent, then your PHI can be divulged. This is like the very definition of patient privacy.

> Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.

This isn't true, either; I've had providers ask for ROIs, and nothing prevents a provider from taking initiative. (Perhaps you need a better provider.) Yes, to a large extent, you must own your own outcome in American healthcare, but I think this is more a function of other failing in HC than HIPAA.

Also, … yes, ROIs are scoped: they're only good for a specific instance of releasing information, i.e., they're not carte blanche to the provider to release your information to the world. Again, that's a privacy protection.

In the specific case covered by TFA, upstream is right: it is unfortunate that marketplaces might not be covered entities, and probably should be. This would be a common sense update to the law, so call your congressperson. Were they, HIPAA prohibits what occurred here, and other covered entities have been fined for exactly this type of error/behavior. I.e., HIPAA has prior examples of preventing exactly the badness here!

[1] I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent. I'd say this is more a function of providers not adhering to standards like they ought to; I've seen precious little use of FHIR (for others: standardized format for HC data) in my time in the industry, and the state of tech for inter-provider transfers is such that most providers probably do find it easier to just recollect the data they need. Heck, even within a provider, I've witnessed struggles to transfer data.

  • FireBeyond  14 hours ago

    > Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.

    Not even, it specifically allows providers who are actively caring for you to share, even without your consent. Straight from the horse's mouth:

    "Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."

    Source: https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...

    > I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent.

    It doesn't even really always require consent, but a provider relationship. Consent can grease the wheels though.

    It's like you said, very little use of FHIR or still so so much HL7. And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.

    • deathanatos  13 hours ago

      Yeah. (I didn't include that as it seemed like the person above was writing specifically about provider-provider sharing, and while I know provider-BA sharing is fine in the course & context of administering care, I was less sure about provider-provider. But I think there are plenty of examples of this in my own HC, such as when I go for a blood draw and I get 8 bills. But again: HIPAA really doesn't throw too many surprising curve balls here.)

      And yeah, lots of HL7v2. (for readers: HL7v2 is a protocol for medical data sharing. Predates FHIR, and is muuuuch uglier. FHIR is JSON/HTTP, albeit complicated, because medical. HL7v2 is custom binary (or I think there's an XML variant that I pray I never run into?). Not to be confused with the organization HL7.

      HL7v2 is also the reason for a lot of having to deal with IPSec tunnels, something else I could stand to never see again.)

      > And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.

      Yep. Some unintentional (the standard is complex, people make mistakes), some intentional (the standard permits extension, and obviously custom extensions might not port).

      And that's like every other standard an eng on HN is going to interact with, really.

FireBeyond  14 hours ago

The other person who replied to you is much more accurate.

> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.

If I am a provider (and I am, or have been) of yours, I can get information from other providers on the care they've provided you. In fact, as appropriate, I can get it without your permission or consent (particularly useful in situations of pill-seeking, or mental health, but other situations too, that I encountered as a paramedic).

While many providers will get you to sign paperwork consenting to this, it is mostly CYA.