Does HIPAA Even Exist for Large Corporations? -- PART 2
Today I got my official reply to my HHS Office of Civil Rights complaint of 5/3/24 against CVS for violating HIPAA regulations. The minor and rather impressive miracle here is that I got a signed letter from an attorney in only 17 days with relevant regulations and interpretations attached. Good so far.
The result was that they are not going to pursue a formal complaint -- instead they are going to "resolve this matter informally through the provision of technical assistance to CVS."
HHS OCR points out that "a covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.... Further, under the Security Rule, with certain exceptions, the use of encryption is addressable; i.e., not mandatory." [red emphasis mine]
HHS further states under Reasonable Safeguards that "It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business."
If HHS OCR actually in fact offers this technical assistance in a meaningful way, that WOULD satisfy my complaint -- not that anyone is asking me. This was almost certainly a stupid screw-up by someone in CVS Info Tech programming the canned computer "after visit summary" process to send out way too much information in unencrypted format to people who received a COVID booster at a CVS. If CVS STOPS doing this, I'm good.
To recap -- I received an after-visit summary not only listing what COVID booster med I received, but also my DOB, home address, and all the answers to my screening questionnaire including my answers to whether or not I have ever had a seizure, a bleeding disorder, am currently pregnant, am immunocompromised (including from cancer), have a history of myocarditis, and many other questions.
I will waste my time writing HHS OCR back to thank them and to remind them that to the best of my knowledge I never signed a release for disclosure (which apparently has no legal bearing here?), and that in this new age of AI every major tech company is incorporating AI into EVERYTHING. If I had a Gmail account, Google would have all my medical information from this CVS after visit summary email and likely would be utilizing AI to monetize it in some way.
I suppose the good news here for small psychotherapy practices is that if this is close to acceptable practice for even a giant company like CVS, then maybe we have little to worry about when it comes to client privacy. Heck -- why not just email client PHI to them without getting releases first? Why have encrypted client portals for communication?
-- Michael
**Does HIPAA Even Exist for Large Corporations? -- PART 1**
I don't care if anyone knows I just got a COVID vaccine. Most people don't care.
However, CVS Pharmacy just sent me an after-visit report across unencrypted Internet to my email address.
The form included such fields as:
-- My Full Name
-- **DATE OF BIRTH!**
-- My Full Home Address
-- Medication Administered
-- Date and Time of Appointment
-- Name of Pharmacist I saw
-- Name of Doctor at CVS overseeing it all
-- Name and Address of my Primary Care Doctor
Also:
-- All the answers to my *screening questionnaire!* including my yes/no answers to multiple medical conditions such as heart problems, immunocompromise, seizures & other brain problems, and pregnancy.
So many things wrong here. This is almost enough information for identity theft (lacking only SSN). It gives away LOTS of my medical information. If I had a Gmail email address, Google would now have all this information. What if I was a pregnant female in the southern USA where Attorney Generals are starting to track state of pregnancy for later prosecution if women go out-of-state for abortions or have a suspicious (to them) miscarriage?
**How does CVS get away with this when smaller medical offices have to be so careful?**
Michael Reeder, LCPC
#AI #EHR #medicalnotes #progressnotes #healthcare #patientportal #HIPAA #dataprotection #infosec @infosec@a.gup.pe #doctors #hospitals #CVS #COVID #sars-cov-2 #longcovid #severecovid#covidisnotover #pharmacy #vaccine
If you sit down and talk with Republicans,
which I advise against doing,
you will notice that they justify nearly every one of their awful policies with a call to states’ rights.
They say they want to take power away from national representatives in Washington, D.C., and redistribute it to state and local governments,
which, they claim, are best equipped to determine the best policies for their constituents’ particular, parochial concerns.
They use this appeal to “federalism” to shield them from moral accountability for their disastrous actions.
Republicans will say, for instance, that their intention is not to take away abortion rights but merely to let the states decide when a person can be forced to give birth against their will.
They are lying, of course.
We know this because whenever Republicans get the power to impose their views by national fiat, they happily do so, states’ rights be damned.
Republicans are for local control right up until a local prosecutor declines to deport an immigrant or a city council decides to ban assault weapons.
Still, “states’ rights” remains their battle cry,
and few things expose the full measure of their antipathy toward democratic norms and civil rights than what they do with the power they’ve given to the states.
Most people are aware of the horrors that await when Republicans take control of statehouses and governors’ mansions.
For recent examples, consider Greg Abbott’s murder moat in Texas, or Glenn Youngkin’s crusade against abortion rights and Pornhub in Virginia.
Fewer, however, recognize the horrors that lie in store when Republicans commandeer the machinery of the law.
Put simply, whichever rights the Supreme Court does not succeed in obliterating, Republican-controlled state courts and Republican attorneys general eagerly chisel away, state by state.
They are the people who, under their own authority, can bend the law to their will and weaponize it against vulnerable communities.
There are currently 27 of them, and they include future Newsmax hosts like
Kansas AG Kris #Kobach, who finds his joy in suing to stop Joe Biden’s student debt relief program;
Florida AG Ashley #Moody, who spends her days fighting whatever “wokeness” conspiracy exists in her head at any given moment;
and Texas AG Ken #Paxton, who has effectively decided to make up his own immigration laws and enforce them at the point of a gun.
Republicans realized long ago that state AGs represent the steel gauntlet inside the velvet glove of states’ rights.
They also realized that they needed an organization to help them make that vision real,
so in 1999 they created one: the
💥Republican Attorneys General Association.💥
Much like the Democratic National Committee or the Republican National Committee or any number of partisan-affiliated outfits, #RAGA identifies candidates, supports their efforts to win elections, and imposes national Republican priorities at the state level
—though that’s far from all it does.
The association sees its mission as “Defending the Rule of Law. Keeping America Safe”
and hails itself as “America’s last line of defense.”
You’d think that means keeping states safe from criminals and fraudsters,
but in most cases RAGA AGs think they’re “defending” us from transgender kids who need to use the bathroom or Uber drivers who take people across state lines to get abortions.
RAGA prosecutors share a hatred of reproductive rights, a love of guns, and an obsession with persecuting the LGBTQ community.
You probably didn’t need me to tell you that, though:
Hating women and gay people while using a .450 Bushmaster as a masculinity supplement when the testicle tanning wears off is simply standard GOP operating procedure these days.
But RAGA AGs are also committed to doing the dirty work for every other hellish Republican policy idea,
from destroying the environment to gutting voting rights to undermining vaccines, because apparently states need “defending” from science, facts, and public health.
No matter what awful thing they’re doing, the AGs always have enough money to do it.
In exchange for this largesse, these corporations get more than one-off lawsuits or the occasional friendly AG.
Beyond backing individual officials, RAGA is involved with bigger, broader strategies.
RAGA attorneys general work hand-in-hand with preferred Trump judges to shape our national laws through targeted cases designed for appellate and eventually Supreme Court review.
They make rulings that trigger nationwide injunctions.
In recent months, RAGA AGs in 19 states have asserted their right to get access to the private medical records of patients seeking care out of state
—most likely so they can be prosecuted for receiving an abortion when they come back home.
In 13 states, RAGA AGs have threatened to sue companies over their diversity and inclusion programs.
Most of the time, the law is hiding in shadows, obscured under thick layers of jargon and confusing rules of procedure.
But RAGA attorneys general are not trying to hide the ball. They’re proud of their work.
These people are elected officials (many with ambitions for higher office), so when they menace a vulnerable community, they want you to know about it.
Psychology news robots distributing from dozens of sources: https://www.clinicians-exchange.org
. Does HIPAA Even Exist for Large Corporations?
I don't care if anyone knows I just got a COVID vaccine. Most people
don't care.
However, CVS Pharmacy just sent me an after-visit report across
unencrypted Internet to my email address.
The form included such fields as:
-- My Full Name
-- DATE OF BIRTH!
-- My Full Home Address
-- Medication Administered
-- Date and Time of Appointment
-- Name of Pharmacist I saw
-- Name of Doctor at CVS overseeing it all
-- Name and Address of my Primary Care Doctor
Also:
-- All the answers to my screening questionnaire! including my yes/no
answers to multiple medical conditions such as heart problems,
immunocompromise, seizures & other brain problems, and pregnancy.
So many things wrong here. This is almost enough information for
identity theft (lacking only SSN). It gives away LOTS of my medical
information. If I had a Gmail email address, Google would now have all
this information. What if I was a pregnant female in the southern USA
where Attorney Generals are starting to track state of pregnancy for
later prosecution if women go out-of-state for abortions or have a
suspicious (to them) miscarriage?
*How does CVS get away with this when smaller medical offices have to
be so careful?
*
This comes as a surprise because
1.) I've had the Rx filed by Walmart off-and-on over the past 20 years or so.
2.) I had no issues with #CVS / no idea that this was "a thing"
Now closer to a WM pharm vs the prev CVS, it made sense to have this month sent here
(Adderall patients are forced through this rigmarole every 30 days).
Went to our local #cvs drug store last night to get some cold medicine. Store was almost empty. Only one checker. Get to cold isle and thing I wanted is locked up in the security cage. Press button, no body comes. Walk up to front, cashier can't leave front of store and manager is only one with key and "in the back doing money stuff".
Can you (cashier) get the key from manager? No, can't leave front. Does manager know I want to give you money? Yes. After 20 min, I left without purchase. #gripe
'CVS is brilliant almost free labor!!': Man shares how to make money while shopping at CVS. Viewers think it's the store's way of not having to pay workers