[dragonwriter]

If entering into a BAA under HIPAA for work involving PHI is “harvest”, and you're worried that this reaches “millions” for Google, you probably don't want to think about the deals public and private firms in the healthcare and health insurance/payments space have with Amazon and Microsoft.

From the news article (I don't have time to review the source leak indepently) there doesn't seem to be anything really concerning here. The closest to an indication of anything wrong seems to be that someone raised an issue about the risk of improper employee use of data and a need for training around that in an internal meeting on the project and has not received a formal specific response on that issue from corporate leadership. Having spent a long time in HIPAA-related work, that neither that issue being raised in regard to a new project or the fact that it was raised being merely one of many inputs into a policy generating process that makes general adjustments considering a wide range of concerns, legal parameters, and other issues but not receiving a specific direct response seems...pretty typical. And HIPAA does not require notification or opt-in (or even opt-out opportunity) for data sharing between a covered entityand Business Associate, as BA’s are (while under HITECH independently subject to HIPAA privacy and security rules) basically considered institutional agents of the covered entity to which the covered entity’s authority to have and use data is delegated under the Business Associate agreement.

I don't know if there is really nothing of concern in the dump or the journalists covering it don't have enough understanding of the domain to even distinguish things that would indicate a problem, but what it looks like from the news article is a “whistleblower” making accusations and dumping docs, but nothing substantial and concrete in the docs supporting the thrust of the “whistleblower’s” accusations of wrongdoing.

[TaylorAlexander]

Not defending the article (I’ve not read it), but I suppose I probably would be horrified with the status quo. I really wish we had a more consent based data culture. I suppose I don’t know how that would be designed. But lots of real things are horrifying and it’s not necessarily fine just that something is normal.

[dredmorbius]

My view is that consent is oversold. If I "consent" to a boilerplate agreement handed me moments before an action is taken, have I really?

Boundaries and distributions should be clearly, specifically specified, with any non-essential distributions requiring specific assent, defaulting to none. If there are consequences to sharing, those can be made known. We've been drawn into a circumstance which has long been untenable.

[dragonwriter]

> If I "consent" to a boilerplate agreement handed me moments before an action is taken, have I really?

A not uncommon practice with HIPAA “disclosures” is to sign an electronic device that records the signature (and provides no evidence that the document your signature is associated with is anything like the one you were given) prior to being provided with documents. So, yeah, the practices around consent with PHI suck pretty hard.

[dredmorbius]

I would flat out refuse.

[jobigoud]

This why there is the concept of informed consent.

[dredmorbius]

Actually, that's not accurate in this case.

If you inform me, then hand me a pre-printed document with a huge set of conditions on it, or worse as another response notes, simply collect my signature, it's not that I'm not enformed. It's that I'm not empowered to act on the basis of that information in any meaningful way.

It's a sham.

I'm a fan of the power of etymologies to reveal if not necessarily the present meanings of words, the paths by which they've arrived to the present. In the case of consent:

c. 1300, "agree, give assent; yield when one has the right, power, or will to oppose," from Old French consentir "agree; comply" (12c.) and directly from Latin consentire "agree, accord," literally "feel together," from assimilated form of com "with, together" (see con-) + sentire "to feel" (see sense (n.)).

https://www.etymonline.com/word/consent

(A true gem of the Internet.)

[mindslight]

> If I "consent" to a boilerplate agreement handed me moments before an action is taken, have I really?

Obviously you have not.

I wouldn't say this is consent being "oversold", but rather yet another way that the concept of consent is being actively undermined into a legal fiction.

This is also why the GDPR has the provision for revoking permission to your data at any time - to counter its rights being otherwise nullified through contracts of adhesion.

[dredmorbius]

"Legal fiction" is an entirely apt description, yes.

[_q1cj]

Why do you think Amazon purchased PillPack ;)

However, their little snafu with SureScripts and Remy Health just got them banned from accessing healthcare history - however there are pending FBI and FTC investigations regarding their mis-management of healthcare data. Worst case, the digital pharmacy Amazon just bought will be barred from sending or receiving digital prescriptions and their HIPAA accreditation will be voided for three years (with a fine).

Seems like a great way to waste a couple hundred million dollars.

[_pgmf]

The article says

> The data is being transferred with full personal details including name and medical history and can be accessed by Google staff

I think a reaction of horror is quite appropriate. Your comment is "whataboutism". Let's discuss this leak without invoking bogeymen.