
Ask HN: Dr sending marketing emails after multple unsubscribes HIPAA Violation? - anm89
A doctor&#x27;s office has been sending me marketing emails for years after multiple unsubscribes. Just based on the nature of their office specialty and based off of the content of this email it would be very easy to infer pieces of my past medical history that I would not want public. I&#x27;m assuming google now understands this part of my medical history based on their parsing of these messages.<p>I&#x27;m also just annoyed at the concept of having to unsubscribe over and over again.<p>My question is:  could anything here be construed as a HIPAA violation?
======
jklein11
Big disclaimer IANAL but I do work in Health IT.

If this really has you irked and you want to do something about it you can
file a formal complaint.[1] I would have to think that a call from the OCR
would get a practice thinking more about their patients’ privacy and that must
be a good thing.

I think it is unlikely that they are breaking any laws. The practice likely
posted their Notice of Privacy Policy, and you may have even signed something.
Once you allowed them to share your health data, your right to revoke that
consent is largely dependent on if the data is considered sensitive (ie
substance abuse and mental health data) and your state and local laws.

It is shocking to me how far removed people are from the ownership of their
health data. I’m really passionate about changing that. If anyone is
interested in working on this problem feel free to reach out.

1\. [https://www.hhs.gov/hipaa/for-individuals/guidance-
materials...](https://www.hhs.gov/hipaa/for-individuals/guidance-materials-
for-consumers/index.html)

~~~
chris11
Aren't there major privacy concerns? It's so easy for an advertiser to get
personal data from ad recipients that I'd expect private info could be
inferred by the office just giving out patient's email addresses.

~~~
jklein11
Here is a link to the Cleveland Clinic's NPP as an example. I'm not sure which
health system the OP was referencing.

[https://my.clevelandclinic.org/-/scassets/files/org/about/pr...](https://my.clevelandclinic.org/-/scassets/files/org/about/privacy-
practices/cleveland-clinic-notice-of-privacy-practices-english.ashx?la=en)

If you look under Authorizations for other uses and disclosures there is
language around using healthcare data for marketing. Specifically:

> For example, most uses and disclosures of psychotherapy notes, uses and
> disclosures of health information for certain marketing purposes, and
> disclosures that constitute a sale of health information require your
> written authorization.

It is very likely that in the many pages of paperwork you fill out when you
are starting to see a new physician, you agree to have the health system share
your health information for marketing purposes.

There is also more general language around contacting a patient via email:

> Contacting You. We may use and disclose health information to reach you
> about appointments and other matters. We may contact you by mail, telephone
> or email. For example, we may leave voice messages at the telephone number
> you provide us with, and we may respond to your email address.

I think these would be enough of a defense if the OCR ever audited the
practice around marketing emails received by patients.

At the core of it, I'm not sure that this is such a bad thing. For example,
targeting diabetics with ads for more effective insulin treatments hardly
seems like a bad thing. I just think it is wrong that the patient is so far
removed from the picture.

------
taf2
HIPAA aside if you have unsubscribed and you continue to receive email... you
might be able to go after for violators can spam act... check it out here
[https://www.ftc.gov/tips-advice/business-
center/guidance/can...](https://www.ftc.gov/tips-advice/business-
center/guidance/can-spam-act-compliance-guide-business)

