AT&T and HIPAA

[David Farber <dave () farber net>]

Begin forwarded message:

From: Latanya Sweeney <latanya () LAB privacy cs cmu edu>
Date: June 28, 2006 5:42:11 AM EDT
To: David Farber <dave () farber net>
Cc: Bob Gellman <bob () bobgellman com>
Subject: Re: Farber's List posting


Dave,

Bob Gelman is a leading legal scholar on privacy
policy, and the most knowledgeable person about HIPAA
that I know.  Below is his response to the inquiry about AT&T
and HIPAA. (Please post this message to your list.)

--LS

At 08:05 PM 6/23/2006, Bob Gellman wrote:
> Someone sent me your posting from Dave Farber's list about the  
> latest AT&T privacy policy and HIPAA.  You wrote:
>
> "On the other hand, if the AIDS support line was provided by a  
> hospital that used it to support
> its patients diagnosed with HIV, then the information would be  
> protected. However, it would be assumed
> that the hospital entered into a Business Associates agreement with  
> AT&T and did not just sign-up for phone service without the  
> additional protection. If such an agreement did exist, there may be  
> some liability under HIPAA
> if AT&T shared the data further.  However, even this situation is  
> complicated by whether there
> was an overarching legal requirement for the information that took  
> precedent. "
>
> I don't think that a telephone company is a business associate  
> under HIPAA.  It is just a conduit for information.  Here's an  
> answer from the OCR FAQ (answer number 245) that explains the point:
>
> "Are the following entities considered "business associates" under  
> the HIPAA Privacy Rule: US Postal Service, United Parcel Service,  
> delivery truck line employees and/or their management?
>
> No, the Privacy Rule does not require a covered entity to enter  
> into business associate contracts with organizations, such as the  
> US Postal Service, certain private couriers and their electronic  
> equivalents that act merely as conduits for protected health  
> information. A conduit transports information but does not access  
> it other than on a random or infrequent basis as necessary for the  
> performance of the transportation service or as required by law.  
> Since no disclosure is intended by the covered entity, and the  
> probability of exposure of any particular protected health  
> information to a conduit is very small, a conduit is not a business  
> associate of the covered entity. "  (END OCR)
>
> We can dream up circumstances in which a conduit would access  
> information entrusted to it, and that could create interesting and  
> complicated HIPAA questions.  Much would depend on what the covered  
> entity knew about the conduit's conduct, and what was allowed by  
> its contract with the conduit.  If a conduit regularly "opened the  
> package" and peeked, then a business associate agreement might be  
> required to control that conduct.
>
> I haven't read AT&T's policy either.  But its reported assertion of  
> ownership is bad policy, bad law, and rather meaningless.  With  
> personal information, there are rights, interests, and  
> responsibilities on all sides.  A claim of ownership doesn't get  
> anyone anywhere.
>
> I don't have access to Farber's list, but you can post this if you  
> choose.
>
> Bob
>
> --
> + + + + + + + + + + + + + + + + + + + + + + +
> + Robert Gellman       <bob () bobgellman com> +
> + Privacy and Information Policy Consultant +
> + 419 Fifth Street SE                       +
> + Washington, DC 20003                      +
> + 202-543-7923           www.bobgellman.com +
> + + + + + + + + + + + + + + + + + + + + + + +



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/