<<< Date Index >>>     <<< Thread Index >>>

[IP] ATT and Hippa




Begin forwarded message:

From: Bill Schwartz <bill@xxxxxxxxx>
Date: June 23, 2006 8:59:55 AM EDT
To: dave@xxxxxxxxxx
Subject: RE: [IP] more on AT&T rewrites privacy policy

If I understand the AT&T announcement correctly, the use of their
services by a Hospital or medical facility would violate the HIPPA
regulations on privacy of patient information. Just from the dialing
information, one could know who was seeking help with AIDS for example.



Begin forwarded message:

From: Latanya Sweeney <latanya@xxxxxxxxxxxxxxxxxxxxxx>
Date: June 23, 2006 2:39:07 PM EDT
To: David Farber <dave@xxxxxxxxxx>, Lorrie Cranor <lorrie@xxxxxxxxxx>
Subject: Re: is true?


Hi Dave,

I haven't read the privacy statement from AT&T,
but here is my response related to the messages
you attached related to HIPAA.

HIPAA does not offer blanket protection of medical
records. Only a listed group of service providers
are subject to HIPAA; these are termed
"covered entities."  These include physicians,
hospitals, and insurance companies.
Other entities may hold similar or even the same
patient information that would be protected if it were
held by a covered entity, but it is not subject to HIPAA
when it is not held by a covered entity
or a business associate of a covered entity.

AT&T are not themselves directly
covered by HIPAA, which means in general
the information is not protected. For example,
suppose an AIDS support line is maintained
by a non-profit group of volunteers in which people
can call for conversation but no medical services
or charges are involved. Most such groups would
not be a covered entity under HIPAA because there
is no medical billing involved.  Let's further
assume that the phone lines are provided through
AT&T. The phone records would not be subject
to HIPAA.

On the other hand, if the AIDS support line
was provided by a hospital that used it to support
its patients diagnosed with HIV, then the information
would be protected. However, it would be assumed
that the hospital entered into a Business Associates
agreement with AT&T and did not just sign-up for phone service
without the additional protection. If such an agreement
did exist, there may be some liability under HIPAA
if AT&T shared the data further.  However, even
this situation is complicated by whether there
was an overarching legal requirement
for the information that took precedent.

--LS


At 09:23 AM 6/23/2006, David Farber wrote:

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/