[dml2135]

Wouldn’t this violate HIPAA?

[warkdarrior]

Depends who is selling that data. Some pharmacy delivery services or billing services may not be covered by HIPAA, since they are not necessarily "covered entities".

[ethbr1]

Is this true?

My understanding of HIPAA (possibly incorrect) is that it's attached to the data.

If a covered provider is leaking HIPAA covered data to a non-covered business associate entity... that's a big no-no and a fine.

[snowwrestler]

There are criteria for which organizations are covered by HIPAA’s privacy protections. It is not attached to the data wherever the data goes.

[ethbr1]

Yes, those are covered entities. Their subcontractors who touch HIPAA data are business associates.

See https://www.hhs.gov/hipaa/for-professionals/covered-entities... and https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-...

In my experience, covered entities are really serious about signing BAAs with any of their hosting vendors and partners, as afaik the liability falls on the covered entity if they didn't have an agreement in place and data leaked from a vendor/partner.

[cmpxchg8b]

If you agree to the data being shared when signing up for insurance it wouldn’t be a violation.

[ethbr1]

Do you have any details on this?

I'm sure there are legal HIPAA data escape pathways (given the financial incentives for companies to find them), but I'm curious on the details.

Afaik, there's no way to make HIPAA-covered data non-HIPAA-covered, and absent that everyone in the custody chain is responsible for anywhere it eventually ends up.

That said, I expect the way this works in practice is more likely data that originates with non-HIPAA-covered entities, but can be massaged/combined into a similar product.