The article makes a point that 23andMe isn't bound by HIPAA, but even if it were, I wouldn't consider that adequate. The bar for collecting and holding PII, particularly medical, needs to be much, much higher than it is today.
A doctor I recently visited whipped out his iPhone and asked if I was okay with him recording our conversation so that some fly-by-night rando AI company could vacuum up our private conversation and spit out some LLM-generated summary of our visit. "Not to worry," he insisted, "they're HIPAA compliant!"
I probably should have walked out of the office right then and there, but instead I simply told him no, not under any circumstances may he record our private conversation and send it off to some third party over the Internet. He seemed a bit taken aback because I guess I am the only patient he's had push back on it. He tried saying that the service "really helped him" or something like that. It seemed like he was trying to make me feel bad for "making his job harder."
I simply replied that HIPAA compliance didn't prevent the last 5 or 6 letters I've received from both hospitals and insurance companies about "cybersecurity events" leading to the compromise of my PII. And not just any PII, mind you. It was my medical information, supposedly "protected" by HIPAA. These were major insurance companies and hospitals. And you want me to believe that some fly-by-night AI startup is going to somehow be a safe place for a goddamned fscking full audio recording of our private visit, just because they claim to be HIPAA compliant? Are you kidding me?
I've made it a point to start writing my representatives in government about these issues. They need to wake up and start doing something meaningful to protect the people who are being bamboozled by all the yahoos who play fast-and-loose with their privacy, especially medical PII.
I had a similar experience where I was also assured the data was “doubly protected, it’s secured by a password here and re-secured at the remote site.”
Besides that immediately making me question their security, it is a great example how people trust things without much thought. I’ve heard of calls for statistics to be pushed over calculus to improve math literacy in the general population, perhaps some cybersecurity courses should be pushed over “learn to code” to improve tech literacy.
I’m not sure it really matters in practice at this point.
As a condition of getting a flu and covid vaccine, CVS made me agree to give them
permission to share my medical history, test results, etc. with my employer and their affiliates.
Just thinking here: is it possible that's a catch-all disclosure agreement aimed at employers who require certain vaccinations (I know CVS offers TB shots, for example, which are mandatory for working with some older/vulnerable populations), and this agreement lets CVS send those records to employers when requested?
Either way, it's still a too-broad agreement, but my assumption is that CVS thinks it's easier to opt everyone in by default than to ask patients to opt in as needed, and then inevitably have some patients not opt in when they should have, and then deal with the resulting bureaucratic nightmare when the nursing home they work for calls and demands to see immunization records.
HIPAA is a joke in the first place. How to implement HIPAA compliance is entirely up to the company dealing with the data. There are no prescriptive standards to protect your data. Who isn’t HIPAA certified? It has to be the easiest thing to certify for from a technical perspective. Research teams run records through some NLP shit to depersonalize them, but we all already know it’s trivial to reverse engineer that data to its origin.
HIPAA is a legal framework to describe lawful disclosure of health information- defining who and when, and what steps must be taken when unauthorized / impermissible disclosure happens.
It is technologically agnostic, because it applies whether your doctor is fully remote and everything uses electronic records, or if the provider is still using pen and paper and carrier pigeons.
For actual security details, there may be some regulations with the change to the mandating of electronic records, but nothing in HIPAA ourself. For that, you want to look for organizations that have a certification like SOC2 or similar.
> HIPAA is not a joke, employees can be held personally liable for breeches
Okay, great. So which employees were held personally liable for these two breeches? I got "The Letter" telling me I was one of the victims for both of them.
It is possible your doctor doesn’t fully understand concerns here. Or maybe he does and doesn’t give a shit. If it is the first case, maybe there is some hope - we can try and educate them doctors.
I don’t know how to accomplish this, but we need to educate as many people as we can about privacy
It's a technical problem. Computer is still Magic Box to most people. All they know is marketing. There's a lot of lies around software and it's trivial to get someone, anyone, to upload even very compromising information. Just say you're secure, that you got certification X and businesses A - F use you.
Hell, even tech companies fall for this. They'll upload their shit to some cloud without setting up proper guards because "oh well it's Atlassian". Hope you don't have anything too compromising in that Jira!
Don’t conflate doctor/patient confidentiality and data security. If someone broke into an office and stole medical records, that’s not a violation of doctor/patient confidentiality, even if the doctor chose crappy locks on their doors.
> Yet another example why "HIPAA compliant" means nothing.
"HIPAA compliant" doesn't mean nothing. It means a whole lot. It's just not relevant here, because - as mentioned at the beginning of the article - 23 and Me is not regulated under HIPAA.
A doctor I recently visited whipped out his iPhone and asked if I was okay with him recording our conversation so that some fly-by-night rando AI company could vacuum up our private conversation and spit out some LLM-generated summary of our visit. "Not to worry," he insisted, "they're HIPAA compliant!"
I probably should have walked out of the office right then and there, but instead I simply told him no, not under any circumstances may he record our private conversation and send it off to some third party over the Internet. He seemed a bit taken aback because I guess I am the only patient he's had push back on it. He tried saying that the service "really helped him" or something like that. It seemed like he was trying to make me feel bad for "making his job harder."
I simply replied that HIPAA compliance didn't prevent the last 5 or 6 letters I've received from both hospitals and insurance companies about "cybersecurity events" leading to the compromise of my PII. And not just any PII, mind you. It was my medical information, supposedly "protected" by HIPAA. These were major insurance companies and hospitals. And you want me to believe that some fly-by-night AI startup is going to somehow be a safe place for a goddamned fscking full audio recording of our private visit, just because they claim to be HIPAA compliant? Are you kidding me?
I've made it a point to start writing my representatives in government about these issues. They need to wake up and start doing something meaningful to protect the people who are being bamboozled by all the yahoos who play fast-and-loose with their privacy, especially medical PII.