Search the KHIT Blog

Monday, March 16, 2015

"Your use of the Services constitutes your agreement to the Privacy Policy"

A new app service is touted as "The OpenTable for Healthcare."

"It's Free!" 
 OK, but, wait, there's more...

One of my Facebook pals posted this stuff to my wall. It links to a PBS story.
App’s terms of service give away your SSN, medical history

Do you know what you’re agreeing to when you click “I agree” on a website’s terms of service form?

In all likelihood, the answer is no. To read just the privacy statement from every different website they visit in a year, Americans would have to dedicate more than 30 eight-hour work days to the mind-numbing task, according to one study. And the privacy policy is only one part of a website’s terms of service.

Yet by signing terms of service, users may cede control of their intellectual property, agree to be used as research subjects and allow companies to collect and distribute their personal information, including, perhaps, medical information.

NewsHour Weekend Anchor and Senior Correspondent Hari Sreenivasan was troubled recently when he received an email from ZocDoc, a popular medical care scheduling service, describing the company’s updated terms of use...
My reaction on Facebook.

Recall the privacy concerns aired in my prior post "Wearables update: The iWatch"?

Also, tangentially, a concern I tweeted while covering the Health 2.0 WinterTech Conference back in January:

ZocDoc: "It's Free!" OK, then, what's the business model? "VC Built to Flip? Trafficking in patients' data? Like Facebook and Twitter and all of these other "free" apps do with consumers' personal data?

Do you really want perhaps granting Amazon's Jeff Bezos (ZocDoc investor) access to your medical data?

Just asking.


OK, going back to the app I cited while covering WinterTech 2015.

From the "Notice of Privacy Practices" on their websites:

How is Patient Privacy Protected?
As the healthcare providers providing online medical services through Doctor on Demand (the “Healthcare Providers”, “us”, “we”, “our”), we understand that information about you and your health is personal. Because of this, we strive to maintain the confidentiality of your health information. We continuously seek to safeguard that information through administrative, physical and technical means, and otherwise abide by applicable federal and state guidelines.

How do we use and disclose health information?
We use and disclose your health information for the normal business activities that the law sees as falling in the categories of treatment, payment and health care operations. Below we provide examples of those activities, although not every use or disclosure falling within each category is listed:
  • Treatment – We keep a record of the health information you provide us. This record may include your test results, diagnoses, medications, your response to medications or other therapies, and information we learn about your medical condition through the online services. We may disclose this information so that other doctors, nurses, and entities such as laboratories can meet your healthcare needs.
  • Payment – We document the services and supplies you receive when we are providing care to you so that you, your insurance company or another third party can pay us. We may tell your health plan about upcoming treatment or services that require prior approval by your health plan.
  • Health Care Operations – Health information is used to improve the services we provide, to train staff and students, for business management, quality improvement, and for customer service. For example, we may use your health information to review our treatment and services and to evaluate the performance of our staff in caring for you.
We may also use your health information to:
  • Comply with federal, state or local laws that require disclosure.
  • Assist in public health activities such as tracking diseases or medical devices.
  • Inform authorities to protect victims of abuse or neglect.
  • Comply with Federal and state health oversight activities such as fraud investigations.
  • Respond to law enforcement officials or to judicial orders, subpoenas or other process.
  • Inform coroners, medical examiners and funeral directors of information necessary for them to fulfill their duties.
  • Facilitate organ and tissue donation or procurement.
  • Conduct research following internal review protocols to ensure the balancing of privacy and research needs.
  • Avert a serious threat to health or safety.
  • Assist in specialized government functions such as national security, intelligence and protective services.
  • Inform military and veteran authorities if you are an armed forces member (active or reserve).
  • Inform a correctional institution if you are an inmate.
  • Inform workers’ compensation carriers or your employer if you are injured at work.
  • Recommend treatment alternatives.
  • Tell you about health-related products and services.
  • Communicate within our organization for treatment, payment, or health care operations.
  • Communicate with other providers, health plans, or their related entities for their treatment or payment activities, or health care operations activities relating to quality assessment or licensing.
  • Provide information to other third parties with whom we do business, such as a record storage provider. However, you should know that in these situations, we require third parties to provide us with assurances that they will safeguard your information.
"Treatment," Payment," "Health care Operations" is simply HIPAA Covered Entity language. The final bullet point begs some questions.
"Provide information to other third parties with whom we do business, such as a record storage provider. However, you should know that in these situations, we require third parties to provide us with assurances that they will safeguard your information."
What comprises "assurances that they will safeguard your information"?

Simple verbal or written "assurances"? Or legally-defensible documentation showing that their 3rd parties are in full compliance with HIPAA as it now pertains to BA's? That's what I'd want to see.


I hope the OCR and OIG will be doing their jobs with respect to these rapidly proliferating health apps developer BA's that will be trafficking in ePHI. I intend to raise the issue.

See my 2012 post "45.CFR.164.3, 45.CFR.164.5, and 42.CFR.2." Again, HIPAA compliance is not for policy dilettantes. And, the requisite HIPAA Privacy and Security Officers are not simply hanging around Home Depot parking lots looking for day work.

More to come...

No comments:

Post a Comment