This one seems clear cut as a HIPAA violation. Glad to hear that interpretation was upheld.
However, regardless, we really need to just kill the data broker business model.
Speaking as someone who implemented GDPR for my startup when the law first came into effect, there were certainly rough edges.
But the core premise that you simply cannot sell user data to sub-processors without consent is a powerful one that I believe would fix a lot of broken things in the US system.
(Not least because the USG buys private data that would be unconstitutional for it to directly collect, but also things like the incentives for your cell phone provider to sell your location data to advertisers.)
Seriously, we have a country where a large fraction of our ad spend is for services that promise to remove your private data from data brokers. We could literally just pass laws so companies could not do this.
TL;DW: HIPAA was actually created to allow insurance companies to share patient data without having to get patient consent. Before HIPAA, data was more fractured and less commonly shared. The only privacy protections it offers is, e.g., your doctor not giving your data to your boss. But about 1.5 million private entities can legally access your data (everything from health startups to insurance companies to hospitals)
Reminds me of this Seinfeld episode when Elaine was marked as "difficult" in her chart, and then she couldn't get a single doctor to see her. She wasn't allowed to see her chart or edit it after that. As soon as she got to a new clinic, they would receive a phone call from another doctor warning them not to treat her.
> But about 1.5 million private entities can legally access your data
Somewhat. They are allowed to access it "for treatment purposes", not just to nose around out of curiosity.
I found myself explaining this to a number of my patients (I used to be a paramedic) who were irate about disclosures they'd made to their therapist, doctor, etc., that they had said they didn't want revealed to other providers (but were actually germane to their care).
"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."
One problem is all the data breaches it encourages. Data breaches are already bad enough with the providers I actually use without 1000s of random companies having access.
However, regardless, we really need to just kill the data broker business model.
Speaking as someone who implemented GDPR for my startup when the law first came into effect, there were certainly rough edges.
But the core premise that you simply cannot sell user data to sub-processors without consent is a powerful one that I believe would fix a lot of broken things in the US system.
(Not least because the USG buys private data that would be unconstitutional for it to directly collect, but also things like the incentives for your cell phone provider to sell your location data to advertisers.)