Re: definitive comment on Are Google/MSFT bound by HIPAA?

[David Farber <dave () farber net>]

________________________________________
From: Andrew C Burnette [acb () acb net]
Sent: Sunday, February 24, 2008 8:13 PM
To: David Farber; jmsaul () ctconsultancy com
Subject: Re: [IP] definitive comment on Are Google/MSFT bound by HIPAA?

Dave, Joe,

It also follows that "all privacy bets are off" when any data processing
goes across national or jurisdictional borders. If work can be
outsourced at a cost effective rate, there's no easy way to determine
what country's laws, treaties, or lack thereof meet the intent if HIPAA.

I recently picked up and paid for a prescription for my daughter
(amoxillin for strep throat) at costco, used my Aetna HSA debit card to
pay for it.  By the time I arrived home 20 minutes later, the following
companies had played a part in the transaction, and it was fully visible
in my aetna and related accounts:

1- costco
2- telepay (I may have the name incorrect, but one of the prescrip copay
clearinghouses)
3- medco (my insurance companies prescrip benefit admin)
4- Chase Bank (unlabeled provider of my HSA account and visa debit card)
5- Aetna

Bet there's a few interesting points of metadata collection. The idea of
a "medical health score" is nothing new either.

Best regards,
Andy Burnette

David Farber wrote:
> ________________________________________
> From: Joseph M. Saul [jmsaul () ctconsultancy com]
> Sent: Saturday, February 23, 2008 10:11 AM
> To: David Farber
> Cc: ip
> Subject: Re: [IP] Are Google/MSFT bound by HIPAA?
>
> On Sat, 23 Feb 2008, David Farber wrote:
>
> > Can anyone in IP shed light on whether 3rd parties who hold personal
> > medical information (such as Google or Microsoft) are bound by HIPAA's
> > privacy and disclosure guidelines?
>
> I'm not in IP, I'm in health care compliance at a large academic health
> system.  HIPAA is a large part of my job; I know it extremely well.
> The HIPAA Privacy Rule regulates only certain types of organizations
> involved in health care, which it terms "covered entities".  They include
> health care providers, health care payors, and health transaction
> clearinghouses.  There are additional restrictions, but they aren't
> relevant here.
>
> When those organizations have to provide protected health information to
> a non-covered entity like a technology company (e.g. Siemens), they are
> required to make the outside company sign a "Business Associate Agreement"
> in which they pledge to protect the data to (essentially) the same
> standards, tell the covered entity about security breaches, etc.  The
> outside company is still not bound by the HIPAA Privacy Rule, but it has
> had similar standards applied to it by contract.
>
> The upshot is that Google and Microsoft, not being "covered entities,"
> are absolutely *not* bound by HIPAA.  If they have signed a Business
> Associate Agreement with a covered entity, they may be bound by that
> agreement to apply similar standards to that entity's data in the context
> of that engagement, but that's as close as it gets.
>
> Feel free to contact me offlist if you want to discuss this in more
> detail.
>
>    -- Joe Saul, J.D.
>
> -------------------------------------------
> Archives: http://www.listbox.com/member/archive/247/=now
> RSS Feed: http://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com



-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com