The practice spooky23 reports in the thread you cite appears to be blatantly illegal, and the assurance that it was not came from someone who was paid to protect the company; no complaint was made to anyone responsible for enforcing the law.
That's probably the biggest problem with HIPAA, not the law or supporting regs (which have problems, like the one I address upthread), but that most people's first and only complaint of a problem will be to the wrongdoer themselves, not anyone with an interest in enforcing the law. (In Spooky23’s case, there was some effort to go beyond that, but not to an entity actually responsible for enforcing the law in question, or even an agency of the right sovereign entity.)
In any case, while the practices spooky23 raises are, legal or not, a real concern, they in no way justify characterizing my criticism of the specific problems with HIPAA deidentificationn rules as naive in the context of a pre-existing discussion of reidentification of deidentified data (which is a completely different issue than sharing, legally or not, data which is not deidentified as is the issue in spooky23’s case.) Again, it's a real issue, just not a germane one to where it was agressively thrown into the discussion.
Did you read the second comment on that link from Spooky23? It is legal. Also the second linked article ascribes to the practice being legal. It was a Propublica report.:
"Yes, you are. The events surrounding what happened to my wife was very painful (an ectopic pregnancy that nearly killed her), and a thoughtless reminder was very unwelcome. I still feel violated and betrayed.
In our case, I found out the marketing list from Enfamil and bought it for my zip code. _I complained to the hospitals’ privacy officer and the state regulator and found that everything was legal._
In our case, the hospital pharmacy issued drugs to her indicative of a pregnancy. The pharmacy or insurer provides that information in real time to data brokers. The pharmaceutical companies assign quotas and send salespeople for certain drugs. There are other ways for data to get out that we’re not certain of. Perhaps the insurer “anonymizes” and sells subrogation information. Or the lab. In any case, they knew that my wife was admitted to an OB floor of a hospital, but didn’t know the outcome.
It’s not going away. The US government uses these same techniques with companies like Google to combat extremism or terrorist conversions — they actually use factors like this to target potential recruits with counter-information via ads. "
> Did you read the second comment on that link from Spooky23?
Yeah, as you can tell by the fact that I responded to the post pointing out that the two people complained to were:
(1) A person whose job it is to make sure the hospital doesn't get sued, who is never going to admit wrongdoing, and
(2) An official from the wrong agency (and even the wrong government) when it comes to the law in question.
Also, note that the link you've copied that isn't a 404 is only tangentially related, as it is about gathering and sharing data that never comes under the protection of HIPAA, not resharing PHI as addressed in spooky23’s post, which again is a different issue than reidentification of HIPAA deidentified data that I was responding to here. There are lots of different issued around health data, and or isn't helpful to conflate them, much less to hurl abuse at people for failing to conflate the different issues.
That's probably the biggest problem with HIPAA, not the law or supporting regs (which have problems, like the one I address upthread), but that most people's first and only complaint of a problem will be to the wrongdoer themselves, not anyone with an interest in enforcing the law. (In Spooky23’s case, there was some effort to go beyond that, but not to an entity actually responsible for enforcing the law in question, or even an agency of the right sovereign entity.)
In any case, while the practices spooky23 raises are, legal or not, a real concern, they in no way justify characterizing my criticism of the specific problems with HIPAA deidentificationn rules as naive in the context of a pre-existing discussion of reidentification of deidentified data (which is a completely different issue than sharing, legally or not, data which is not deidentified as is the issue in spooky23’s case.) Again, it's a real issue, just not a germane one to where it was agressively thrown into the discussion.