[HN Gopher] Pharmacies share medical data with police without a ...
___________________________________________________________________
Pharmacies share medical data with police without a warrant,
inquiry finds
Author : arkadiyt
Score : 115 points
Date : 2023-12-12 18:00 UTC (5 hours ago)
(HTM) web link (www.washingtonpost.com)
(TXT) w3m dump (www.washingtonpost.com)
| underseacables wrote:
| If you get a prescription filled using insurance, that medication
| goes on a report. * Collects prescription drug purchase history
| for quantifying the relative mortality risk of life insurance
| applicants and provides risk scores for underwriting decisions.*
|
| https://www.consumerfinance.gov/consumer-tools/credit-report...
|
| Even if you don't use insurance, it may still be possible to wind
| up on this list.
| deepfriedchokes wrote:
| Wouldn't this be a massive HIPAA violation??
| alexwilde wrote:
| The article covers this:
|
| _The Health Insurance Portability and Accountability Act, or
| HIPAA, regulates how health information is used and exchanged
| among "covered entities" such as hospitals and doctor's
| offices. But the law gives pharmacies leeway as to what legal
| standard they require before disclosing medical records to
| law enforcement._
| bonestamp2 wrote:
| Wow, that's a gaping privacy loophole.
| dekhn wrote:
| HIPAA was never a law about privacy of medical data. It's
| a law that governs the management of medical data, with
| very limited protections for privacy. I think most people
| misunderstand that law, its purpose, and its
| implications.
| ThinkingGuy wrote:
| The P in HIPAA stands for "Portability," not "Privacy."
| u32480932048 wrote:
| HIPPA is the Privacy act ;)
| yold__ wrote:
| I work in this space, and your comment is completely wrong.
| Data covered by HIPAA is always covered by HIPAA. A covered
| entity would also include a health insurer, and all payment
| intermediaries, this is straight from the HHS faq
| (https://www.hhs.gov/hipaa/for-professionals/faq/covered-
| enti...)
| alexwilde wrote:
| Did you read the article? I've read through what you've
| linked as well as this page:
| https://www.hhs.gov/hipaa/for-professionals/faq/190/who-
| must...
|
| I'm not seeing anything that explicitly calls out
| Pharmacies.
| dragonwriter wrote:
| HIPAA law and implementing regs include broad allowances
| for disclosure to law enforcement, some of which involve
| some degree of subjective judgement on the part of the
| covered entity (and most of which do not require a
| warrant), but, no, it does not allow pharmacies (or any
| other covered entities) "leeway as to what _legal_ standard
| they require " (emphasis added) before such disclosure.
|
| See, generally, https://www.hhs.gov/hipaa/for-
| professionals/faq/505/what-doe... and the regulations cited
| therein.
| theGnuMe wrote:
| I look forward to the lawsuits since HIPAA is Federal and
| abortion laws are state.
| dragonwriter wrote:
| Unfortunately for that idea, the law enforcement
| disclosures allowed under HIPAA are not limited to
| disclosures related to violations of federal law, or
| disclosures only to federal law enforcement.
| Teever wrote:
| I'm in Canada so HIPAA doesn't apply for me but when I was
| going into my second year of university the student union
| signed a contract with a health insurance company that
| provided some piddly policy for students that was mandatory
| unless you could provide proof of insurance with another
| company.
|
| Not only was there no way to refuse this but you were
| automatically enrolled unless you could provide that proof by
| a certain date.
|
| I got into an argument with the student president about this
| because I considered it a massive overreach for the school to
| give my information to the student union who then turns
| around and gives it to a third party, and that this is just
| some how a part of completing post secondary education. He
| was adamant that it was both legal and ethical, and that
| there was no privacy violation that occurred.
|
| I ended up opting out in time but a few months later I
| received an email from the insurance company stating that
| they had been hacked and they weren't quite sure what
| information had been leaked.
|
| I've never found out what information was transmitted from
| the student union to the health insurance company, if the
| company managed to get access to my health records, or if
| that company has sold those records, or been acquired by a
| large company that has added those records to their
| collection, or what the hackers manged to steal.
|
| I guess this is all legal because some student union that
| gets less than 9% of the student body to vote for them said
| so?
| Ensorceled wrote:
| > I'm in Canada so HIPAA doesn't apply for me
|
| But PIPEDA definitely applies to this situation, but PIPEDA
| only came into effect on April 2020 so it would depend upon
| when you were a student.
| JohnFen wrote:
| > He was adamant that it was both legal and ethical, and
| that there was no privacy violation that occurred.
|
| I could understand about it being legal, maybe even ethical
| (ethical codes can differ) -- but to argue that there is no
| privacy violation? That just seems completely delusional.
| yold__ wrote:
| When you buy health insurance, you sign a temporary HIPAA
| release (limited duration) to cover the period that they are
| underwriting. They can only query your specific pharmacy
| records for the purposes of underwriting. So yes, this is a
| HIPAA violation when it is being used by the police. I work
| in this space with HIPAA data.
| heroprotagonist wrote:
| You can fit an astounding number of elephants through the
| loopholes in HIPAA:
|
| https://www.law.cornell.edu/cfr/text/45/164.512
|
| And then there's the HHS interpretation of the above for
| providers, which is... porous:
|
| https://www.hhs.gov/hipaa/for-professionals/faq/505/what-
| doe...
|
| Of particular note are the exemptions in 45 CFR 164.512(k)(2)
| applicable to powers granted by executive order 12333 (on
| mass surveillance). When this exemption is used it makes
| discovering whether, when, how, or why your data was
| collected or used practically impossible.
| Racing0461 wrote:
| This is actually a pretty good use of the data if its done by a
| university for a study or the NIH in a nonprofit capacity.
| Using prescription data on insurance to see outcomes at a
| societial level for prescriptions since it's all in one place.
|
| Of course life insurance companies will instead use the data to
| decide someone's premiums or whether to give them life
| insurance at all if a prescription shows up on that persons
| history when they try to sign up.
| JohnFen wrote:
| > This is actually a pretty good use of the data if its done
| by a university for a study or the NIH in a nonprofit
| capacity.
|
| As long as everyone who's data is used has consented to it,
| then yes.
| underseacables wrote:
| https://archive.is/ACR3l
| neonate wrote:
| https://web.archive.org/web/20231212133518/https://www.washi...
| JohnFen wrote:
| This sort of thing underscores how impossible it is to stay safe
| in our society. If you can't even get medical care without your
| data being mined for all it's worth, what can you do?
|
| So utterly depressing.
| LorenPechtel wrote:
| Doesn't surprise me a bit. Deal with anything sensitive and
| companies are very prone to cooperating with the police rather
| than have them cause trouble when they don't get what they want
| right now.
| Eumenes wrote:
| The answer to 1984 is 1776
___________________________________________________________________
(page generated 2023-12-12 23:01 UTC)