Interesting People mailing list archives
Re: definitive comment on Are Google/MSFT bound by HIPAA?
From: David Farber <dave () farber net>
Date: Mon, 25 Feb 2008 06:18:36 -0800
________________________________________ From: Andrew C Burnette [acb () acb net] Sent: Sunday, February 24, 2008 8:13 PM To: David Farber; jmsaul () ctconsultancy com Subject: Re: [IP] definitive comment on Are Google/MSFT bound by HIPAA? Dave, Joe, It also follows that "all privacy bets are off" when any data processing goes across national or jurisdictional borders. If work can be outsourced at a cost effective rate, there's no easy way to determine what country's laws, treaties, or lack thereof meet the intent if HIPAA. I recently picked up and paid for a prescription for my daughter (amoxillin for strep throat) at costco, used my Aetna HSA debit card to pay for it. By the time I arrived home 20 minutes later, the following companies had played a part in the transaction, and it was fully visible in my aetna and related accounts: 1- costco 2- telepay (I may have the name incorrect, but one of the prescrip copay clearinghouses) 3- medco (my insurance companies prescrip benefit admin) 4- Chase Bank (unlabeled provider of my HSA account and visa debit card) 5- Aetna Bet there's a few interesting points of metadata collection. The idea of a "medical health score" is nothing new either. Best regards, Andy Burnette David Farber wrote:
________________________________________ From: Joseph M. Saul [jmsaul () ctconsultancy com] Sent: Saturday, February 23, 2008 10:11 AM To: David Farber Cc: ip Subject: Re: [IP] Are Google/MSFT bound by HIPAA? On Sat, 23 Feb 2008, David Farber wrote:Can anyone in IP shed light on whether 3rd parties who hold personal medical information (such as Google or Microsoft) are bound by HIPAA's privacy and disclosure guidelines?I'm not in IP, I'm in health care compliance at a large academic health system. HIPAA is a large part of my job; I know it extremely well. The HIPAA Privacy Rule regulates only certain types of organizations involved in health care, which it terms "covered entities". They include health care providers, health care payors, and health transaction clearinghouses. There are additional restrictions, but they aren't relevant here. When those organizations have to provide protected health information to a non-covered entity like a technology company (e.g. Siemens), they are required to make the outside company sign a "Business Associate Agreement" in which they pledge to protect the data to (essentially) the same standards, tell the covered entity about security breaches, etc. The outside company is still not bound by the HIPAA Privacy Rule, but it has had similar standards applied to it by contract. The upshot is that Google and Microsoft, not being "covered entities," are absolutely *not* bound by HIPAA. If they have signed a Business Associate Agreement with a covered entity, they may be bound by that agreement to apply similar standards to that entity's data in the context of that engagement, but that's as close as it gets. Feel free to contact me offlist if you want to discuss this in more detail. -- Joe Saul, J.D. ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- definitive comment on Are Google/MSFT bound by HIPAA? David Farber (Feb 23)
- <Possible follow-ups>
- Re: definitive comment on Are Google/MSFT bound by HIPAA? David Farber (Feb 25)
- Re: definitive comment on Are Google/MSFT bound by HIPAA? David Farber (Feb 25)