Lesley Carhart Feb 1, 2023
Remember that time I joked on twitter about GoodRx bring a privacy nightmare and one of their people went off on me? Lol … https://triangletoot.party/@jhv/109791178748594439
Joe V. (@[email protected])

IMO, GoodRX already tanked & doesn't work. Maybe this will hasten their demise. https://gizmodo.com/ftc-fines-goodrx-prescription-data-facebook-google-1850059096 #drugs #GoodRX #health #medicine #digitalPrivacy "FTC Fines GoodRx $1.5M for Sending Your Medication Data to Facebook and Google for Ads"

Triangle Toot Party!
Show threadideaPDishFeb 1, 2023
@hacks4pancakes
Hrrm. How does this work in the context or HIPAA?
Whenever i read a waiver that is thicker than a clickthrough, mandatory for treatment, and i see that i have to agree or ack to the provider sharing with 3rd party business partners, it gives me the willies. I seem to remember that HIPAA was originally about protecting patient’s and not weaponizing providers. Am i missing something?0
Show threadJason GasselFeb 1, 2023
@ipd HIPAA only protects health data in the context of a healthcare provider or their business partners, it’s not a general purpose privacy law. Basically any other entity that gets your data from a source that’s not a medical provider is not covered. In the case of GoodRx, the individual provides their prescription info on their own with no medical provider are involved so no HIPAA.
Show threadideaPDishFeb 1, 2023
@jpeg
Business partner..
That means that covered entities do business with. right? Anyone from the janatorial servied they hire to the vending machine fillers?
It's a bogus moth ridden security blanket
Show threadJason Gassel

@ipd To clarify: “business partner” here requires a specific HIPAA-compliant contractual relationship, not just anyone the healthcare provider happens to do business with. An example would be a medical record software company. Janatorial service getting access to medical records would be a HIPAA violation unless they do HIPAA-compliant paper records destruction or something.

The big issue is when there’s no healthcare provider involved. If you type your data into an app (not associated with your healthcare provider) or Google guesses your condition based on web searches, then there are no HIPAA protections governing what they do with that.

Feb 1, 2023 at 11:33pmWeb
Show threadideaPDishFeb 1, 2023

@jpeg
If there is no requirement for third party enumeration, it's ambiguous, and therefore loaded with loopholes.

Do you have case law that shows that HIPAA is enforceable or enforced? Or where there have been fines because of violations?

"Personally Identifiable" and anonymized is another meaningless red herring. You know in infosec that given a few points of data that it's a sham.

Unless your job is to be the expert in the room when something's being discussed, so that the Powers that Be can say that they consulted an expert.

Show threadJason GasselFeb 2, 2023

@ipd I used to work for a healthcare software company that has to comply with HIPAA, it is definitely enforced. They issue numerous fines every year, the ones for data breaches can get quite big given they fine per record.

Not sure how complete this list is: https://www.hipaajournal.com/hipaa-violation-fines/

HIPAA Violation Fines - Updated for 2023

HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general. View a comprehensive list of the HIPAA covered entities and business associates that have been fined by regulators for potential HIPAA compliance failures.

HIPAA Journal
Show threadideaPDishFeb 2, 2023

@jpeg
Considering the scope and volume of the medical industry and associated entities, 22 violations in '22, 14 in '21, and 19 in '20, and the payouts, and considering the economics of the industry, it's shameful, how it's been enforced. Less than the price of doing business.

If you consider the price of ransomware, ddos and hacking, well, what we're talking about is a joke.

If experian, and the banks have reported compromise, I'm hard pressed to believe that the medical is that much better.