[chimeracoder]

> The US has some (IMO) pretty strict laws about protecting PHI. One Medical isn't going to keep your data in an open public S3 bucket, and random Amazon employees aren't going to be snooping around your medical records on their intranet.

HIPAA provides far fewer protections than you probably think it does, and flagrant violations are frighteningly common.

Worse, HIPAA provides no private right to recourse, so even if your PHI is exposed, you're not entitled to a penny in compensation.

HHS may fine Amazon, but to Amazon, $1.5 million (the maximum cap for all violations of a provision due to negligence) might as well be the cost of doing business. And you won't receive one cent of that.

[crazygringo]

Can you give an example about fewer protections than people think?

[chimeracoder]

> Can you give an example about fewer protections than people think?

For starters, HIPAA doesn't actually prevent your doctor or health insurer from selling your data to a third party. It also doesn't prevent that third party from giving that data to a fourth party, who can give it to another, and so on.

What happens if one of those tertiary parties has a breach and ends up exposing your data? In theory they're supposed to report it back up the chain, but in practice it doesn't go more than one or two links, if that.

So in short:

- you have no way of enumerating the number of entities who have legal access to your health data

- you have no way of finding out when it's been illegally exposed by any of the parties who have legal access to it

- if by chance you happen to find out about an exposure[0] you have no recourse except to report it to HHS, who may apply a statutory fine, but the fine is typically minuscule compared to the size, revenue, and profit of the guilty party

- if by chance you find out about an exposure of your PHI, you are not entitled to receive any compensation

All things considered, it's easier to enumerate the very limited ways that HIPAA does actually protect you than to enumerate the protections that most people incorrectly think HIPAA provides.

[0] a real-life example is you Googling the name of your partner and stumbling upon a publicly visible Excel spreadsheet containing the name, SSN, addresses, and medical diagnoses of thousands of patients

[1] see above

[ROTMetro]

Used to be the Joint Commision took HIPAA violations seriously. Do HIPAA violations no longer cause risk of losing Join Commision accreditation? That used to be the big sanction everyone worried about.

[Clubber]

HIPAA has some teeth, but I was surprised at the annual caps, which are insignificant to larger companies, like Amazon.

https://www.ada.org/resources/practice/legal-and-regulatory/...

[sklargh]

Your consent to be used in research is basically baked into anything you’ve whipsaw signed at a doctor’s office.

[chimeracoder]

> Your consent to be used in research is basically baked into anything you’ve whipsaw signed at a doctor’s office.

Eh, that's not exactly true. HIPAA isn't the only (or even primary) vehicle for safeguarding patients from research, and most research is conducted under the auspices of large (usually academic) institutions that have processes to ensure informed consent, which are in turn backed by other legal statutes or contracts. Those aren't perfect, but it's not correct to say that patients provide blanket consent when they begin at a new practice, or that HIPAA is responsible.

[JohnFen]

Doctors and hospitals can and do share sensitive patient data with drug companies for marketing purposes, for instance.