|
|
|
|
|
|
by FireBeyond
925 days ago
|
|
|
Then you would know that HIPAA allows for one subset of the above, health information to be shared for treatment purposes even without patient authorization, as long as reasonably safeguarded. I'm not saying that encapsulates everything that person says. But "reasonable safeguards" absolutely include a lot of the things you say are unacceptable. I worked for a company that built claims benefits management systems, including one for SAG-AFTRA. Notably, that one, because they were about the only customer who was absolutely militant about lockdown of access to data (because it would show celebrity healthcare claims). Actually, the biggest challenge we had was from our customers wanting to do data mining that was federally illegal (like looking at familial healthcare data to determine predisposition for a covered person for a certain condition). |
|
|
There's no way they fall under one of those exemptions, especially if they don't need it to do their job. If anything, the statement "we just don't" is indicative that they wouldn't fall under those exemptions.
But really the point was that this stuff is heavily regulated. If a company isn't following those regulations that's going to bite them in the ass eventually.
Typically speaking, you can convince auditors of a lot of things but it only takes getting the wrong auditor for it to all go down hill.