Re: Are Google/MSFT bound by HIPAA?

[David Farber <dave () farber net>]

________________________________________
From: bmagnus () samespace com [bridgetmagnus () gmail com] On Behalf Of Bridget Magnus [bmagnus () samespace com]
Sent: Saturday, February 23, 2008 10:55 AM
To: David Farber
Subject: RE: [IP] Are Google/MSFT bound by HIPAA?

Sort of.

Not only are any parties that hold medical data that is both 1) personally
identifiable and 2) relates to medical care and/or the payment for such care
subject to HIPAA, any company that submits this sort of data do them must
get an agreement that holds them to certain confidentiality standards before
sending data.  Furthermore, any facility sending information to them should
amend the HIPAA statement they give to patients (who in my experience rarely
take it home, let alone read it) to reflect the mere possibility of a data
sharing agreement.

Needless to say, there are some loopholes.  They can aggregate
non-identifiable information (such as total number of flu cases).
Anonymized data can be released ("Mr. A, age 46, presented with interesting
symptoms").  They have to comply with court orders to release data.  There
are certain instances where they may be required to report certain types of
information to authorities such as the CDC. Services paid for in cash appear
to be a grey area, but I'd rather comply unnecessarily than deal with
federal lawsuits.  But the short version is yes, and if they are as smart as
we have been led to believe they are, they already have lawyers working on
it.

Bridget Magnus
bmagnus () bridgetmagnus com
---
(702) 727-7842
---
http://bridgetmagnus.com/ -- My professional site, your source of
information on real estate and moving to Las Vegas

-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Saturday, February 23, 2008 6:34 AM
To: ip
Subject: [IP] Are Google/MSFT bound by HIPAA?


________________________________________
From: Michael Zimmer [michael.zimmer () yale edu]
Sent: Saturday, February 23, 2008 8:35 AM
To: David Farber
Subject: Are Google/MSFT bound by HIPAA?

Can anyone in IP shed light on whether 3rd parties who hold personal
medical information (such as Google or Microsoft) are bound by HIPAA's
privacy and disclosure guidelines?

Thanks,
Michael



-----
Michael Zimmer, PhD
Microsoft Fellow, Information Society Project
Yale Law School
e: michael.zimmer () yale edu
w: http://michaelzimmer.org



-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com