Interesting People mailing list archives

Re: Are Google/MSFT bound by HIPAA?

From: David Farber <dave () farber net>
Date: Mon, 25 Feb 2008 03:24:26 -0800

________________________________________
From: Lawrence L. Andrew [andrew () Logonix net]
Sent: Sunday, February 24, 2008 10:33 PM
To: David Farber
Subject: RE: [IP] Re:      Are Google/MSFT bound by HIPAA?

Brock Meeks:  “I wonder how many people on this informed and well-reasoned list have ever, actually, read the privacy 
statements handed out in their doctor's office?”

I read it & questioned it, including the REQUIREMENT to give them my SSN (they claim it is a federal regulation for all 
medical service providers) … & was told, politely but firmly, to sign it or find another medical provider.

Larry
========================
Lawrence L. Andrew
Instructor in Information Systems
Western Illinois University
Macomb, IL  61455
======================

From: DAVID FARBER [mailto:dave () farber net]
Sent: Sunday, February 24, 2008 12:44 PM
To: ip
Subject: [IP] Re: Are Google/MSFT bound by HIPAA?

Begin forwarded message:

From: Brock N Meeks <bmeeks () cox net<mailto:bmeeks () cox net>>
Date: February 24, 2008 11:28:49 AM EST
To: David Farber <dave () farber net<mailto:dave () farber net>>, jmsaul () ctconsultancy com<mailto:jmsaul () 
ctconsultancy com>
Subject: Re: [IP] Re:     Are Google/MSFT bound by HIPAA?

I'm talking about what happens when they get involved in managing the health care information of individuals.  As the 
technology companies we usually think of them as, then no, they aren't covered.  But as they move into handling health 
care information, when do these activities seep into the definition of "covered entity" as defined by HIPAA?

Are these new services classified as a "health care clearing house"?  Where the def. of such is: " In most cases, a 
health care
clearinghouses will receive individually identifiable health information only when they are providing these processing 
services to a health plan or health care provider as a business associate. In such instances, only certain provisions 
of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health 
information."

Or are they considered a "business associate" where they are defined as: "In general, a business associate is a person 
or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on 
behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually 
identifiable health information. Business associate functions or activities on behalf of a covered entity include 
claims processing, data analysis, utilization review, and billing."

I've heard knowledgeable people debate this on both sides.  I will readily claim that I'm no expert -- yet -- but 
within the next few months I'll have enough expertise to proffer an expert opinion.

It's an exciting field in terms of personal privacy; a vital one.

I wonder how many people on this informed and well-reasoned list have ever, actually, read the privacy statements 
handed out in their doctor's office?

On Feb 24, 2008, at 8:47 AM, David Farber wrote:

________________________________________
From: Joseph M. Saul [jmsaul () ctconsultancy com<mailto:jmsaul () ctconsultancy com>]
Sent: Sunday, February 24, 2008 1:01 AM
To: David Farber
Cc: ip
Subject: Re: [IP] Re:  Are Google/MSFT bound by HIPAA?

On Sat, 23 Feb 2008, DAVID FARBER wrote:

Dr. Zimmer asks a very important question; unfortunately the answer is, "it
depends."  There are opinions on both sides of this answer.  Some claim
that Google and Msft are, indeed, bound by HIPAA's privacy and disclosure
guidelines; other say, "hold on, it's not so clear that they are."

The question was whether they're currently bound by the HIPAA Privacy
Rule.  As it currently stands, they don't fit into any of the covered
entity categories.  Are you talking about what would happen if they moved
into the healthcare space, or are you saying they may actually be bound
today?  And if it's the second one, could you explain the reasoning?

   -- Joe Saul, J.D.

________________________________
Archives<http://www.listbox.com/member/archive/247/=now> [https://www.listbox.com/images/feed-icon-10x10.jpg] 
<http://www.listbox.com/member/archive/rss/247/>

[https://www.listbox.com/images/listbox-logo-small.jpg]<http://www.listbox.com>

No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.0/1296 - Release Date: 2/24/2008 12:19 PM

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.21.0/1296 - Release Date: 2/24/2008 12:19 PM

-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

Current thread:

Are Google/MSFT bound by HIPAA? David Farber (Feb 23)
- <Possible follow-ups>
- Re: Are Google/MSFT bound by HIPAA? DAVID FARBER (Feb 23)
- Re: Are Google/MSFT bound by HIPAA? David Farber (Feb 24)
- Re: Are Google/MSFT bound by HIPAA? David Farber (Feb 24)
- Re: Are Google/MSFT bound by HIPAA? David Farber (Feb 24)
- Re: Are Google/MSFT bound by HIPAA? DAVID FARBER (Feb 24)
- Re: Are Google/MSFT bound by HIPAA? David Farber (Feb 25)
- Re: Are Google/MSFT bound by HIPAA? David Farber (Feb 25)
- Re: Are Google/MSFT bound by HIPAA? David Farber (Feb 26)
- Re: Are Google/MSFT bound by HIPAA? David Farber (Feb 28)