[HN Gopher] Pharmacies share medical data with police without a ... ___________________________________________________________________ Pharmacies share medical data with police without a warrant, inquiry finds Author : arkadiyt Score : 115 points Date : 2023-12-12 18:00 UTC (5 hours ago) (HTM) web link (www.washingtonpost.com) (TXT) w3m dump (www.washingtonpost.com) | underseacables wrote: | If you get a prescription filled using insurance, that medication | goes on a report. * Collects prescription drug purchase history | for quantifying the relative mortality risk of life insurance | applicants and provides risk scores for underwriting decisions.* | | https://www.consumerfinance.gov/consumer-tools/credit-report... | | Even if you don't use insurance, it may still be possible to wind | up on this list. | deepfriedchokes wrote: | Wouldn't this be a massive HIPAA violation?? | alexwilde wrote: | The article covers this: | | _The Health Insurance Portability and Accountability Act, or | HIPAA, regulates how health information is used and exchanged | among "covered entities" such as hospitals and doctor's | offices. But the law gives pharmacies leeway as to what legal | standard they require before disclosing medical records to | law enforcement._ | bonestamp2 wrote: | Wow, that's a gaping privacy loophole. | dekhn wrote: | HIPAA was never a law about privacy of medical data. It's | a law that governs the management of medical data, with | very limited protections for privacy. I think most people | misunderstand that law, its purpose, and its | implications. | ThinkingGuy wrote: | The P in HIPAA stands for "Portability," not "Privacy." | u32480932048 wrote: | HIPPA is the Privacy act ;) | yold__ wrote: | I work in this space, and your comment is completely wrong. | Data covered by HIPAA is always covered by HIPAA. A covered | entity would also include a health insurer, and all payment | intermediaries, this is straight from the HHS faq | (https://www.hhs.gov/hipaa/for-professionals/faq/covered- | enti...) | alexwilde wrote: | Did you read the article? I've read through what you've | linked as well as this page: | https://www.hhs.gov/hipaa/for-professionals/faq/190/who- | must... | | I'm not seeing anything that explicitly calls out | Pharmacies. | dragonwriter wrote: | HIPAA law and implementing regs include broad allowances | for disclosure to law enforcement, some of which involve | some degree of subjective judgement on the part of the | covered entity (and most of which do not require a | warrant), but, no, it does not allow pharmacies (or any | other covered entities) "leeway as to what _legal_ standard | they require " (emphasis added) before such disclosure. | | See, generally, https://www.hhs.gov/hipaa/for- | professionals/faq/505/what-doe... and the regulations cited | therein. | theGnuMe wrote: | I look forward to the lawsuits since HIPAA is Federal and | abortion laws are state. | dragonwriter wrote: | Unfortunately for that idea, the law enforcement | disclosures allowed under HIPAA are not limited to | disclosures related to violations of federal law, or | disclosures only to federal law enforcement. | Teever wrote: | I'm in Canada so HIPAA doesn't apply for me but when I was | going into my second year of university the student union | signed a contract with a health insurance company that | provided some piddly policy for students that was mandatory | unless you could provide proof of insurance with another | company. | | Not only was there no way to refuse this but you were | automatically enrolled unless you could provide that proof by | a certain date. | | I got into an argument with the student president about this | because I considered it a massive overreach for the school to | give my information to the student union who then turns | around and gives it to a third party, and that this is just | some how a part of completing post secondary education. He | was adamant that it was both legal and ethical, and that | there was no privacy violation that occurred. | | I ended up opting out in time but a few months later I | received an email from the insurance company stating that | they had been hacked and they weren't quite sure what | information had been leaked. | | I've never found out what information was transmitted from | the student union to the health insurance company, if the | company managed to get access to my health records, or if | that company has sold those records, or been acquired by a | large company that has added those records to their | collection, or what the hackers manged to steal. | | I guess this is all legal because some student union that | gets less than 9% of the student body to vote for them said | so? | Ensorceled wrote: | > I'm in Canada so HIPAA doesn't apply for me | | But PIPEDA definitely applies to this situation, but PIPEDA | only came into effect on April 2020 so it would depend upon | when you were a student. | JohnFen wrote: | > He was adamant that it was both legal and ethical, and | that there was no privacy violation that occurred. | | I could understand about it being legal, maybe even ethical | (ethical codes can differ) -- but to argue that there is no | privacy violation? That just seems completely delusional. | yold__ wrote: | When you buy health insurance, you sign a temporary HIPAA | release (limited duration) to cover the period that they are | underwriting. They can only query your specific pharmacy | records for the purposes of underwriting. So yes, this is a | HIPAA violation when it is being used by the police. I work | in this space with HIPAA data. | heroprotagonist wrote: | You can fit an astounding number of elephants through the | loopholes in HIPAA: | | https://www.law.cornell.edu/cfr/text/45/164.512 | | And then there's the HHS interpretation of the above for | providers, which is... porous: | | https://www.hhs.gov/hipaa/for-professionals/faq/505/what- | doe... | | Of particular note are the exemptions in 45 CFR 164.512(k)(2) | applicable to powers granted by executive order 12333 (on | mass surveillance). When this exemption is used it makes | discovering whether, when, how, or why your data was | collected or used practically impossible. | Racing0461 wrote: | This is actually a pretty good use of the data if its done by a | university for a study or the NIH in a nonprofit capacity. | Using prescription data on insurance to see outcomes at a | societial level for prescriptions since it's all in one place. | | Of course life insurance companies will instead use the data to | decide someone's premiums or whether to give them life | insurance at all if a prescription shows up on that persons | history when they try to sign up. | JohnFen wrote: | > This is actually a pretty good use of the data if its done | by a university for a study or the NIH in a nonprofit | capacity. | | As long as everyone who's data is used has consented to it, | then yes. | underseacables wrote: | https://archive.is/ACR3l | neonate wrote: | https://web.archive.org/web/20231212133518/https://www.washi... | JohnFen wrote: | This sort of thing underscores how impossible it is to stay safe | in our society. If you can't even get medical care without your | data being mined for all it's worth, what can you do? | | So utterly depressing. | LorenPechtel wrote: | Doesn't surprise me a bit. Deal with anything sensitive and | companies are very prone to cooperating with the police rather | than have them cause trouble when they don't get what they want | right now. | Eumenes wrote: | The answer to 1984 is 1776 ___________________________________________________________________ (page generated 2023-12-12 23:01 UTC)