I have to ask, is who or what reads email actually relevant? Wouldn't the purpose of reading the email matter as much if not more? I'm wondering whether the distinction between a computer reading the email and a person reading the email is relevant, and is being presented perhaps as a bit of misdirection. I could be all wrong about this, but if I write a problem that intercepts and scans emails looking for certain keywords, the program is an extension of me, and that I didn't actually read the emails myself doesn't matter.
Thx!
TomB
Speaking technically, rather than legally, it's a yes and no problem.
I am, at this moment (well, a few moments ago), writing code to parse emails to extract a link to login to a portal to download a patient file and then parse that file into my system for my client to use.
During the development, I am likely to see a little PHI but am covered by NDA and need to know.
Once it is deployed, I am not seeing any PHI, nor is anybody else. It's a pipeline from Company A to Company B, even though "something" is reading the email, it is not doing so in the more sentient form of "knowing" what's in your record.
It's kind of like if the Post Office had transporters. They technically know EVERY atom and it's location and thus the contents of the package you shipped. But for practical purposes, they don't actually know what's in the box, even if they scanned it for explosives as part of the process. So a module might "know" what's in the box for the sake or processing the box, but your privacy is still intact from the sense of nobody knows what the present for Timmy was when he gets it but you.
Privacy is not a giant mega-shape that can cover every bit of information about you. It's just not feasible, nor is it conducive to making things work.
there's different kinds of privacy.
Nobody needs to know your social security number
Nobody needs to know who you dated last night
Nobody needs to know about that lump you have
nobody needs to know that you are planning to fire Tom in accounting tomorrow.
These are private things, that should only be shared when you choose and as needed.
As we do know, some people do need your social security number to process your claim
And the computer does need to know your address so it can mail the bill to you
And Google does need to skim your mail for nouns so they can display advertisements about those nouns to you while you use their free service.
but does that mean they've violated those core things I identified at the top? probably not.
Technically your pharmicist knows about the lump you have, because you've got a script for cream for it. It's irrelevant to her, because everybody has a rash somewhere and it's meaningless noise. Pre-HIPPA, everybody knew your business as you stood at the pharmacy counter.
The real point of the privacy laws is to protect your assets, not your privates.
As long as google isn't collating a big database of identities to sell to the Russian hackers, or building a secret black mail profile against you, you don't have a problem.
Your core risk is not that my program is reading your information. It is whether I am opening up the database snapping off a export and selling it to the russians or contacting you on a disposable phone to get you to pay me to not tell your wife about your activities.
It all snaps back to what a human is misusing the data for. the software is often the innocent party, just processing your work, like the assistant at the front desk booking your appointment and taking your credit card to bill you.