[john_strinlai]

>Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data?

because lots of people dont know what HIPPA is, and (naively to us more familiar with tech) assume that a medical-related app on a curated app store would be safe for medical-related stuff.

[ceejayoz]

> lots of people dont know what HIPPA is

Ironically, it's HIPAA.

You're right, though; it's much more limited than people think. During COVID people claimed everything violated HIPAA (masks, vaccine requirements, testing), but it only applies in a very narrow subset of patient/provider relationships.

[FireBeyond]

Very much so. Also ironically, as a healthcare provider (paramedic), HIPAA expressly allows me to get your healthcare information without your consent (as needed for your care). A lot of facilities have you sign paperwork to explicitly authorize sharing, but that's really just a CYA.

"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."

Source: https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...

[haldujai]

The bigger gap is for healthcare and business operations which is very broad and includes datasets for AI training as one example.

[ceejayoz]

That seems entirely unironic and reasonable, though?

[FireBeyond]

100% reasonable (and often necessary - pill shopping, psychiatric concerns, etc. And not irony in the Act itself, more people's perception of its intent.

[pseudalopex]

It is not reasonable to disregard patients' consent so generally. Specific purposes could have specific exceptions.

[FireBeyond]

I think the key is in the course of treatment.

I agree that it's not and never should be a free-for-all with PHI just "because you can".

But if I, as an EMS provider, are treating someone for, say, an overdose, it is rather germane to my treatment of you that you have a history of suicidal ideation or attempts, even if you'd rather I wasn't able to gather that information from another provider's records (because you'd "rather not" be subject to a mandated hold/evaluation if it appears that your overdose was intentional).

I don't need to know, and don't care, if you're transitioning and I'm seeing you for a seizure, for example, it's not relevant. If you're unconscious and I need to see if I can see history or diagnoses or etc., as I'm determining the risk of an intervention to perform on you, then, I may discover that detail, again, in the course of your treatment.

It's not a blanket "I don't care whether you consent or not, I'm pulling your records from the EHR. Sucks to be you."