Does HIPAA Even Exist for Large Corporations? -- PART 2
Today I got my official reply to my HHS Office of Civil Rights complaint of 5/3/24 against CVS for violating HIPAA regulations. The minor and rather impressive miracle here is that I got a signed letter from an attorney in only 17 days with relevant regulations and interpretations attached. Good so far.
The result was that they are not going to pursue a formal complaint -- instead they are going to "resolve this matter informally through the provision of technical assistance to CVS."
HHS OCR points out that "a covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.... Further, under the Security Rule, with certain exceptions, the use of encryption is addressable; i.e., not mandatory." [red emphasis mine]
HHS further states under Reasonable Safeguards that "It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business."
If HHS OCR actually in fact offers this technical assistance in a meaningful way, that WOULD satisfy my complaint -- not that anyone is asking me. This was almost certainly a stupid screw-up by someone in CVS Info Tech programming the canned computer "after visit summary" process to send out way too much information in unencrypted format to people who received a COVID booster at a CVS. If CVS STOPS doing this, I'm good.
To recap -- I received an after-visit summary not only listing what COVID booster med I received, but also my DOB, home address, and all the answers to my screening questionnaire including my answers to whether or not I have ever had a seizure, a bleeding disorder, am currently pregnant, am immunocompromised (including from cancer), have a history of myocarditis, and many other questions.
I will waste my time writing HHS OCR back to thank them and to remind them that to the best of my knowledge I never signed a release for disclosure (which apparently has no legal bearing here?), and that in this new age of AI every major tech company is incorporating AI into EVERYTHING. If I had a Gmail account, Google would have all my medical information from this CVS after visit summary email and likely would be utilizing AI to monetize it in some way.
I suppose the good news here for small psychotherapy practices is that if this is close to acceptable practice for even a giant company like CVS, then maybe we have little to worry about when it comes to client privacy. Heck -- why not just email client PHI to them without getting releases first? Why have encrypted client portals for communication?
-- Michael
**Does HIPAA Even Exist for Large Corporations? -- PART 1**
I don't care if anyone knows I just got a COVID vaccine. Most people don't care.
However, CVS Pharmacy just sent me an after-visit report across unencrypted Internet to my email address.
The form included such fields as:
-- My Full Name
-- **DATE OF BIRTH!**
-- My Full Home Address
-- Medication Administered
-- Date and Time of Appointment
-- Name of Pharmacist I saw
-- Name of Doctor at CVS overseeing it all
-- Name and Address of my Primary Care Doctor
Also:
-- All the answers to my *screening questionnaire!* including my yes/no answers to multiple medical conditions such as heart problems, immunocompromise, seizures & other brain problems, and pregnancy.
So many things wrong here. This is almost enough information for identity theft (lacking only SSN). It gives away LOTS of my medical information. If I had a Gmail email address, Google would now have all this information. What if I was a pregnant female in the southern USA where Attorney Generals are starting to track state of pregnancy for later prosecution if women go out-of-state for abortions or have a suspicious (to them) miscarriage?
**How does CVS get away with this when smaller medical offices have to be so careful?**
Michael Reeder, LCPC
#AI #EHR #medicalnotes #progressnotes #healthcare #patientportal #HIPAA #dataprotection #infosec @infosec@a.gup.pe #doctors #hospitals #CVS #COVID #sars-cov-2 #longcovid #severecovid#covidisnotover #pharmacy #vaccine
There is no #conspiracy as to why it’s being withdrawn- it’s just outdated now and we have better, newer vaccines that are more effective for the current versions and strains in circulation.
What I'd like to know is why did SkyNews (Australia) choose to go with the headline: "AstraZeneca withdrawn worldwide over side effects" #covid19#antivaxxer#antivax#scicomm
(When you enter Ireland a leprechaun greets all under 80s at the border and gives you a lucky charm with immunity to COVID so we only offer the booster to over 80s.)
Over a year since they pulled this vaccine from the market in Norway, the producer finally admits that it had serious side effects. Far too late! This is not how you build trust as a pharmaceutical company. - https://open.lbry.com/@WAM:0/astrazenecapullsdeadlyvaccinewam:3
I had the full dose of AstraZeneca, was happy with it. The side effects (for me) were mild.
The chair of epidemiology at Deakin University in Australia, Prof #CatherineBennett, said the #vaccine had played a pivotal part in the worldwide fight against the virus, particularly in the early days of the #pandemic when limited vaccines were available.
Periodic friendly reminder that the Covid pandemic is not over, kiddos! We're still All Up In It, and a new variant is starting to make the rounds. Wear your mask in public. Don't go out or to work if you're feeling even a little sick. No, a negative Covid test does not necessarily mean that you don't have Covid. No, a negative Covid test does not mean you aren't contagious. No, a negative Covid test does not mean "it's just allergies".
If writing to legislators is your kind of thing, now might be a good time to remind them that we still 100% need unlimited free Covid tests, vaccines, and paid medical leave.
📌 Scientists have created a vaccine that has the potential to protect against a broad range of coronaviruses, including varieties that are not yet even known about.
📌 The experimental shot, which has been tested in mice, marks a change in strategy towards “proactive vaccinology”, where vaccines are designed and readied for manufacture before a potentially pandemic virus emerges.
Psychology news robots distributing from dozens of sources: https://www.clinicians-exchange.org
. Does HIPAA Even Exist for Large Corporations?
I don't care if anyone knows I just got a COVID vaccine. Most people
don't care.
However, CVS Pharmacy just sent me an after-visit report across
unencrypted Internet to my email address.
The form included such fields as:
-- My Full Name
-- DATE OF BIRTH!
-- My Full Home Address
-- Medication Administered
-- Date and Time of Appointment
-- Name of Pharmacist I saw
-- Name of Doctor at CVS overseeing it all
-- Name and Address of my Primary Care Doctor
Also:
-- All the answers to my screening questionnaire! including my yes/no
answers to multiple medical conditions such as heart problems,
immunocompromise, seizures & other brain problems, and pregnancy.
So many things wrong here. This is almost enough information for
identity theft (lacking only SSN). It gives away LOTS of my medical
information. If I had a Gmail email address, Google would now have all
this information. What if I was a pregnant female in the southern USA
where Attorney Generals are starting to track state of pregnancy for
later prosecution if women go out-of-state for abortions or have a
suspicious (to them) miscarriage?
*How does CVS get away with this when smaller medical offices have to
be so careful?
*
This is a comprehensive message from Yale School of Public Health about how COVID affects the immune system. The graphics from Yale SPH explain what we do (& don’t) know about Covid’s effect on the immune system.
Much of this is informed by the work of Dr Akiko Iwasaki, recognized on Time Magazine's annual list of 100 most influential people.
Global Stockpile of #Cholera#Vaccine Is Gone as Outbreaks Spread
Doses of cholera vaccine are being given to patients as fast as they are produced and the global stockpile has run completely dry.
Three new vaccine makers are setting up production lines. Current maker's efforts are “heroic” to expand its production.
Yet even with all this, global supply of vaccine that will become available this year will be, at best, a quarter of what is needed. https://www.nytimes.com/2024/04/11/health/cholera-vaccine-shortage.html https://archive.ph/EgL9w
I haven't taken home a bar souvenir like this in many years. I saw this at Atlanta Eagle tonight and started happy-crying. It's going in my keepsakes. I didn't think I would see this in my lifetime. #HIV#AIDS#vaccine
3 years ago today I got vaccinated. J&J vaccine.
Thank you science and scientists. Thank you people who distributed it. Thank you taxpayers who paid for it.
You all turned a possible death sentence into something that can be managed.