I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA. Consumer companies take COPPA seriously.
You absolutely cannot control what companies do with data, so you want to prevent its collection in the first place – but you can penalize them when they do something wrong, which does influence their beyavior. The jury is still out on the effectiveness of the GDPR, but to say it had no effect would be an odd claim.
> I don’t see my primary care doctor selling my health data
Without overstretching the metaphor, it is quite revealing - you wouldn't see your primary care doctor selling that information whether they are or aren't. You don't have an effective way of monitoring the situation. Nobody outside the hypothetical transaction does.
It is common for that sort of situation to go bad if the economics of selling the data make sense despite the risk of getting caught.
It is revealing: I went to same PCP for the first 18 years of my life and he was incredible as a doctor. He ran his own practice. He was also a great IT admin: he managed his own records, paid to digitize all of them including mine. If he betrayed that trust I’d be sad.
But I hear you. A product just needs to come along that provides some benefit, or the practice could be acquired, etc
That doesn't mean any of those other companies are buying or selling that data.
The healthcare provider uses an EHR. They might have some managed service provider managing their IT assets and their EHR deployment. Two companies they have BAAs with. That EHR company could be cloud hosted, another BAA. They probably rely on other tools and contractors which might have BAAs. Later on when they go to bill they exchange that billing data through billing analysis tools (another BAA) and then submit to a clearing house (another BAA). All of those companies probably have companies they work with that potentially need BAAs as well, if they work directly with that PHI data in the role of working on behalf of that healthcare provider.
One trip to the doctor could potentially involve dozens of companies you've never heard of that might have a business use case to handle your healthcare data in some way or fashion and none of them actually sold that data or mishandled it under HIPAA.
You can only punish them if you find out about it.
I'm not going to do the legwork for you, but you should be looking around for the way Google is transferring the medical information on 50 million Americans as part of Project Nightingale a few years back, and you should be looking very seriously at medical sites that use Google Analytics in direct violation of HIPAA. The situation here is very much like the situation with the government collecting detailed profiles on every citizen and knowing their location in real time: they're not supposed to be doing it, but the reality is they can and they do.
Snowden's leaks were another great example about how the law doesn't actually matter, if you can't see whether or not it's being enforced.
My point here is if you're counting on the system to protect you, you're going to be disappointed.
Recent example was that I was supposed to give up my ID because I lost my 2FA for a particular site and I refused because I didn't believe they would delete my ID. My friends said that I was paranoid.
>I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA.
Oh, you sweet summer child. Bless your little heart. You're right. Doctors don't. Insurance companies do! And that data is passed around like hotcakes to make actuarial datasets which basically have the effect of ensuring premium go up! Several states, in fact, have done everything they can lobbying wise to make sure it remains okay to trade in your personal health data! Also, from personal experience at a PBM, it is at least an offering to get covered populational reports on spend done on behalf of your covered group, meaning employers are given a view of the overall health of their workforce and what that translates to in dollars out the door on their behalf. Information that, of course, would never be used to do strategic layoffs or cross correlation with time taken off to further optimize for cost reduction right?
(Note: if I've had this idea, and rejected it on moral/ethical/legal grounds, there are absolutely people who have had it and hasn't done so).
I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA. Consumer companies take COPPA seriously.
You absolutely cannot control what companies do with data, so you want to prevent its collection in the first place – but you can penalize them when they do something wrong, which does influence their beyavior. The jury is still out on the effectiveness of the GDPR, but to say it had no effect would be an odd claim.