[IP] AT&T and HIPAA
Begin forwarded message:
From: Latanya Sweeney <latanya@xxxxxxxxxxxxxxxxxxxxxx>
Date: June 28, 2006 5:42:11 AM EDT
To: David Farber <dave@xxxxxxxxxx>
Cc: Bob Gellman <bob@xxxxxxxxxxxxxx>
Subject: Re: Farber's List posting
Dave,
Bob Gelman is a leading legal scholar on privacy
policy, and the most knowledgeable person about HIPAA
that I know. Below is his response to the inquiry about AT&T
and HIPAA. (Please post this message to your list.)
--LS
At 08:05 PM 6/23/2006, Bob Gellman wrote:
Someone sent me your posting from Dave Farber's list about the
latest AT&T privacy policy and HIPAA. You wrote:
"On the other hand, if the AIDS support line was provided by a
hospital that used it to support
its patients diagnosed with HIV, then the information would be
protected. However, it would be assumed
that the hospital entered into a Business Associates agreement with
AT&T and did not just sign-up for phone service without the
additional protection. If such an agreement did exist, there may be
some liability under HIPAA
if AT&T shared the data further. However, even this situation is
complicated by whether there
was an overarching legal requirement for the information that took
precedent. "
I don't think that a telephone company is a business associate
under HIPAA. It is just a conduit for information. Here's an
answer from the OCR FAQ (answer number 245) that explains the point:
"Are the following entities considered "business associates" under
the HIPAA Privacy Rule: US Postal Service, United Parcel Service,
delivery truck line employees and/or their management?
No, the Privacy Rule does not require a covered entity to enter
into business associate contracts with organizations, such as the
US Postal Service, certain private couriers and their electronic
equivalents that act merely as conduits for protected health
information. A conduit transports information but does not access
it other than on a random or infrequent basis as necessary for the
performance of the transportation service or as required by law.
Since no disclosure is intended by the covered entity, and the
probability of exposure of any particular protected health
information to a conduit is very small, a conduit is not a business
associate of the covered entity. " (END OCR)
We can dream up circumstances in which a conduit would access
information entrusted to it, and that could create interesting and
complicated HIPAA questions. Much would depend on what the covered
entity knew about the conduit's conduct, and what was allowed by
its contract with the conduit. If a conduit regularly "opened the
package" and peeked, then a business associate agreement might be
required to control that conduct.
I haven't read AT&T's policy either. But its reported assertion of
ownership is bad policy, bad law, and rather meaningless. With
personal information, there are rights, interests, and
responsibilities on all sides. A claim of ownership doesn't get
anyone anywhere.
I don't have access to Farber's list, but you can post this if you
choose.
Bob
--
+ + + + + + + + + + + + + + + + + + + + + + +
+ Robert Gellman <bob@xxxxxxxxxxxxxx> +
+ Privacy and Information Policy Consultant +
+ 419 Fifth Street SE +
+ Washington, DC 20003 +
+ 202-543-7923 www.bobgellman.com +
+ + + + + + + + + + + + + + + + + + + + + + +
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/