[sxg]

No problem—glad to participate! There's a lot of cynicism that leads to misinformation about how healthcare works, so I'd like to clean that up. Let's attack and fix the broken parts of the system, but we should praise the working parts. I think patient privacy/security is one of the few things the US gets mostly right about healthcare.

Regarding the privacy policies: these are created by the legal department and physicians in the department are told to distribute them and get signatures when necessary in order to do things by the book. However, your rights are inalienable and protected regardless of whether you actually receive the policy and sign the appropriate box. If you don't receive the policy, the healthcare institution is on the hook and could face a fine if reported to the DHHS. Things could absolutely be done more efficiently and clearer for patients, but there's a fear in changing things ("if it ain't (horribly) broke, don't fix it"). Trying to improve how privacy policies are disseminated and patients informed could result in an inadvertent violation of HIPAA that results in large fines. So healthcare institutions are disincentivized from trying to improve things here.

I reviewed the patient privacy policy for a few large institutions in the US, and it all seems to support what I'm saying. For example, here's NYU's policy on business associates: https://nyulangone.org/files/business-associates.pdf

NYU has additional policies here: https://nyulangone.org/policies-disclaimers/hipaa-patient-pr.... UCLA Health has similar policies here: https://www.uclahealth.org/privacy-practices. Every institution has essentially the same policies as they're all just a reflection of HIPAA.

The only ways in which patient data can be shared with others are if (1) they're involved in your treatment (e.g., your doctor at another hospital), (2) payment purposes (e.g., insurance), (3) health care operations (e.g., third party vendor software like EMRs, PACS, etc.) All are required to be HIPAA compliant if they're covered entities (i.e., healthcare institutions) or sign a BAA with a covered entity that essentially puts the same HIPAA requirements on them. A violation again results in massive fines, C-suite level firings, and expensive legal fallout.

[ipython]

I spoke with the compliance manager at the urgent care this afternoon and had a pleasant conversation. I shared my concerns that I was never provided a copy of the paperwork I was expected to sign - and they took that feedback to hopefully improve in the future.

I had one question in case you’re still monitoring this thread. The compliance manager mentioned a “health information exchange” which I opted out of (since it was something I can control). Do you have experience with these? It seems benign from the searches I’ve done since the conversation but I would be curious if you had any insight as a medical professional