Your relationship with social media

Dannyalcatraz · Jun 4, 2015

Janx said:
This issue hits me from the opposite side in my line of work. I deal with a lot of clients who tend to form networks of providers. Many of those providers are small practices using yahoo or some other free email service and have no IT staff to speak of.

HIPAA requires online communication to be encrypted in transit. SSL for web sites is trivial. Email is the ugly duckling. If you don't set up TLS on your email server and confirm TLS is setup on the destination, then HIPAA say you can't email those medical records because the data is not encrypted in transit. Yahoo and Google are adding TLS, but prior to last year for sure, none of these populat free email sites had TLS and thus everybody using them for medical work was violating HIPAA.

Furthermore, HIPAA requires Business Associate Agreements with the entities you transfer data with. To get a BAA means reviewing the other guy's security and signing paper that you accept their good or crappy level of security. In the instances where a BAA is not literally required, the same level of dilligence is expected, even without a formal BAA. Thus, when you put your medical records onto gmail, you put Google at risk of violating HIPAA because they didn't specifically know you were using them for that (and thus setup controls to better protect that data).

So from my vantage point, court cases aside, these users had no business using Gmail or Yahoo because they were invoking an unwitting 3rd party into handling Protected Health Information (PHI). Thus, it was never an issue about the snooping by google's bots, because it was inappropriate to run your medical business through an email system you didn't control or have contracts with.

Yeah, I'm familiar with HIPPA issues- had to research it for my Dad's medical practice.

The thing is, it isn't just from the practitioner's side that we have concerns. If the patient somehow sends you an email that isn't secured or encrypted, and it reveals otherwise private/privileged info, the issue arises.

And as you well know, most people don't have secure or encrypted accounts.

That means an email from a patient or potential patient using a gmail account may legally be no more protected by privilege than talking to a doctor face to face with the building janitor sitting in the room.

Janx · Jun 4, 2015

Dannyalcatraz said:
Yeah, I'm familiar with HIPPA issues- had to research it for my Dad's medical practice.

The thing is, it isn't just from the practitioner's side that we have concerns. If the patient somehow sends you an email that isn't secured or encrypted, and it reveals otherwise private/privileged info, the issue arises.

And as you well know, most people don't have secure or encrypted accounts.

At least if the patient sends it do you, he is the one who effectively opted in to disclose it.

For systems we build, we don't conduct business with external parties over email, We'll send them a notification that medical records were added to a case with a link to log back in and open that case. Putting strict attachment size limits also cut down on adjustors emailing in medical records. that was another crazy thing. pick an insurance company you've seen a commerical for. Odds are good one of their adjustors is emailing medical records or using IE6 on an XP machine to an FTP (not SFTP) site. If I knew where the facepalm icon was, I'd put one here.

I imagine all this HIPAA/tech talk is boring to folks. It's just something I had to learn when I switched to writing apps for the medical/insurance industry. Which in turn led to me being the guy who had to write down the rules for my company so we could establish that we had rules and followed them so we could do business with clients. Which in turn apparently poisoned me against all forms of communication and kids walking on my lawn.

Dannyalcatraz · Jun 4, 2015

Janx said:
At least if the patient sends it do you, he is the one who effectively opted in to disclose it.

Oh yeah- the doctor (or lawyer or priest, etc.) is in the clear, but the damage is still done.

It's actually worse for lawyers: it becomes next to impossible to communicate with a client without using the phone, regular mail or face to face without potentially violating the privilege. Again, it would be mostly the client's actions that void the privilege, but that reeeeealy slows stuff down and increases inconvenience. And if the rulings in these cases- or some kind of legislation- don't protect communications prior to the decisions, all of a sudden, huge amounts of data suddenly become discoverable.

That is a nightmare.

Morrus · Jun 4, 2015

Dannyalcatraz said:
I have researched homosexuality, poisons, bombs, melee weapons, hate groups, alcohol, political candidates, religious fringe groups, mainstream religions, countries, conspiracy theories, rare flora & fauna, bible passages, Sci-Fi/fantasy/horror fiction, guitars amps, pedals, laws of many jurisdictions, music of all genres...and so much more.

Anyone trying to take my search history and making a coherent picture of me for investigative or advertising purposes is in for a real struggle.

You should see some of the stuff you research when writing an RPG! Google has a very confused picture of me!

Scott DeWar · Jun 4, 2015

Janx said:
The hyper-vigilant are the ones who don't do online banking because they don't trust the security . . . .

That would be me. I am 52.

Dannyalcatraz · Jun 4, 2015

Morrus said:
You should see some of the stuff you research when writing an RPG! Google has a very confused picture of me!

Right there wit'cha!

Umbran · Jun 4, 2015

Dannyalcatraz said:
It's actually worse for lawyers: it becomes next to impossible to communicate with a client without using the phone, regular mail or face to face without potentially violating the privilege.

And there are times this gets annoying, because it gets in the way of quite simple progress.

My wife is a veterinarian, and, whether they are legally required to or not, they keep HIPAA in mind.

Sometimes, a vet will get faxed records from another vet. A modern fax/scanner/printer usually has "receive fax to e-mail" or "receive fax to file" functionality, which would mean the doctor receiving could automatically take the information into electronic records, like you'd want them to in the 21st century, without ever having to use up ink or kill trees. Except that e-mail channel is not encrypted. You can't even send it to yourself!

Scott DeWar · Jun 4, 2015

I guess you don't want every one in the world to know if a prized breeding stallion to know that there is something worng for even a short period of time. Internet connections only leave a wide open door for abuse.

Umbran · Jun 4, 2015

Scott DeWar said:
I guess you don't want every one in the world to know if a prized breeding stallion to know that there is something worng for even a short period of time. Internet connections only leave a wide open door for abuse.

That, sure. But not many vets deal with terribly valuable animals, to be honest.

Of greater concern might be... oh, say... a divorce case, with child custody involved (so, people willing to be ugly). Now, imagine how records about animal care might be used in the courtroom. "You missed Fluffy's annual checkup several times. If you can't manage to keep your dog healthy, how are you going to manage a child?" Or even, "You spent $3K on pet care. So, clearly you can afford $X in child support...."

And let's not even entertain what happens with anything that could be interpreted by an uninvolved third party as possible abuse....

Health and care are very touchy things, into which people are willing to read a lot of moral character. This is why, even if they are not legally required to follow all of HIPAA because the patients are not human, vets generally follow the same ethics - also because I think many aspects of HIPPA have never been applied to vets, and nobody wants to be part of case law

Dannyalcatraz · Jun 4, 2015

Yep and yep.

Your relationship with social media

Dannyalcatraz

Schmoderator

Janx

Hero

Dannyalcatraz

Schmoderator

Morrus

Well, that was fun

Scott DeWar

Prof. Emeritus-Supernatural Events/Countermeasure

Dannyalcatraz

Schmoderator

Umbran

Mod Squad

Scott DeWar

Prof. Emeritus-Supernatural Events/Countermeasure

Umbran

Mod Squad

Dannyalcatraz

Schmoderator

Similar Threads