It obviously protects against sharing data with e.g. your employer, but if a health provider chooses to make your data shareable, there are 2.2M authorized entities that can potentially access the data (identifiable health data).
Excerpt of the video description: Most people think that HIPAA means that their medical records are kept private. But what if I told you that HIPAA doesn’t protect your privacy at all?
This is our first video in a series about medical privacy, specifically looking at legislation that stripped individuals of the right to consent to medical data sharing.
We focus on what HIPAA actually is, how it came to allow our data to be shared without us even knowing, how we’ve been tricked into thinking we have privacy, and steps we can take to reclaim control of our medical data.
00:00 The State of Medical Privacy is a Mess 02:29 What is HIPAA 07:39 How Your Data is Shared 12:10 The Illusion of Privacy 14:48 What Can We Do 22:16 We Deserve Medical Privacy
We deserve privacy in our medical system. Our health information is sensitive, and we should be allowed to protect it. Even while we fight for better medical privacy, please always prioritize your health.
Special Thanks to: Twila Brase, Rob Frommer, and Keith Smith for chatting to us!
List of doctors who have opted out of the surveillance system: https://jointhewedge.com/
Twila’s website: https://www.cchfreedom.org/patient-toolbox/
Do you want to fight the system and lead a suit against medical data collection? Contact the Institute for Justice: https://ij.org/
Keith Smith’s Surgery Center: https://surgerycenterok.com/
Brought to you by NBTV team members: Lee Rennie, Cube Boy, Sam Ettaro, Will Sandoval and Naomi Brockwell
Edit: changed the title to something that isn’t misleading
Actually I do know that. Pharmacies, too. You do know they are not FAXing giant datasets with millions of patients in them, right?
I’m not disagreeing with you, but the fax loophole does need to be closed.
You’re right to point out the problem. Using a rhetorical tone was a bit sarcastic / condescending, so I mirrored it.
I think it’s a question of perspective. Your doctor faxing something to a pharmacy or specialist is archaic at this point, and I agree it’s not great. If they are using FOIP and not POTS, one would hope it’s encrypted with TLS or something (if it’s not, it’s possibly a HIPAA violation if there’s PHI in the FAX). But the blast radius is pretty small.
I suppose if a hacker compromised a hospital system’s FOIP they could harvest a lot of medical records that way. But at that point, they are already in and they’d likely be more interested in fatter & juicier targets on the network. Bigger datasets with less effort (versus pulling from a trickle of FAXes going in and out).
Bottom line: yes, FAX is dumb, and it’s a problem but it’s very small compared to other things.
Point of fact, I’m not bobs_monkey, the originator of the rhetorical tone. Fax in healthcare continues to survive well past its prime because there is an inherent loophole: analog data transfer is functionally unsuited to encryption. This allows fax to be operated at a “best effort” level of security. There are handling protocols that are meant to keep traditional fax transmissions as private as possible, but these are layer 8 processes with limited enforceability. Beyond that, traditional fax represents a pathway around requirements on encryption while still meeting HIPAA compliance standards.
FOIP is an improvement, but it still allows for interoperability with a traditional fax machine connected to a POTS line in some GP’s office that they’re unwilling to part with. That means the FOIP user can only be confident of the transmission being secure on their side. I can’t speak to the overall adaptation of FOIP in hospital systems, but I do know that there are non-isolated instances of hospitals still relying on traditional fax as opposed to adopting a cloud-fax solution. Hell, there are still major hospitals using SL-100s as their primary phone switches.
I don’t even want to get into codec mismatches, because that falls out of scope when it comes to a privacy discussion.
Long story short, achieving HIPAA compliance is a low bar with regards to fax, and if that were to change I believe we’d see fax disappear (finally!) shortly thereafter.