Interesting People mailing list archives
ATT and Hippa
From: David Farber <dave () farber net>
Date: Fri, 23 Jun 2006 14:55:43 -0400
Begin forwarded message: From: Bill Schwartz <bill () XTEND COM> Date: June 23, 2006 8:59:55 AM EDT To: dave () farber net Subject: RE: [IP] more on AT&T rewrites privacy policy If I understand the AT&T announcement correctly, the use of their services by a Hospital or medical facility would violate the HIPPA regulations on privacy of patient information. Just from the dialinginformation, one could know who was seeking help with AIDS for example.
Begin forwarded message: From: Latanya Sweeney <latanya () LAB privacy cs cmu edu> Date: June 23, 2006 2:39:07 PM EDT To: David Farber <dave () farber net>, Lorrie Cranor <lorrie () cs cmu edu> Subject: Re: is true? Hi Dave, I haven't read the privacy statement from AT&T, but here is my response related to the messages you attached related to HIPAA. HIPAA does not offer blanket protection of medical records. Only a listed group of service providers are subject to HIPAA; these are termed "covered entities." These include physicians, hospitals, and insurance companies. Other entities may hold similar or even the same patient information that would be protected if it were held by a covered entity, but it is not subject to HIPAA when it is not held by a covered entity or a business associate of a covered entity. AT&T are not themselves directly covered by HIPAA, which means in general the information is not protected. For example, suppose an AIDS support line is maintained by a non-profit group of volunteers in which people can call for conversation but no medical services or charges are involved. Most such groups would not be a covered entity under HIPAA because there is no medical billing involved. Let's further assume that the phone lines are provided through AT&T. The phone records would not be subject to HIPAA. On the other hand, if the AIDS support line was provided by a hospital that used it to support its patients diagnosed with HIV, then the information would be protected. However, it would be assumed that the hospital entered into a Business Associates agreement with AT&T and did not just sign-up for phone service without the additional protection. If such an agreement did exist, there may be some liability under HIPAA if AT&T shared the data further. However, even this situation is complicated by whether there was an overarching legal requirement for the information that took precedent. --LS At 09:23 AM 6/23/2006, David Farber wrote: ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- ATT and Hippa David Farber (Jun 23)