Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Dr sending marketing emails after multple unsubscribes HIPAA Violation?
6 points by anm89 on Sept 27, 2019 | hide | past | favorite | 4 comments
A doctor's office has been sending me marketing emails for years after multiple unsubscribes. Just based on the nature of their office specialty and based off of the content of this email it would be very easy to infer pieces of my past medical history that I would not want public. I'm assuming google now understands this part of my medical history based on their parsing of these messages.

I'm also just annoyed at the concept of having to unsubscribe over and over again.

My question is: could anything here be construed as a HIPAA violation?




Big disclaimer IANAL but I do work in Health IT.

If this really has you irked and you want to do something about it you can file a formal complaint.[1] I would have to think that a call from the OCR would get a practice thinking more about their patients’ privacy and that must be a good thing.

I think it is unlikely that they are breaking any laws. The practice likely posted their Notice of Privacy Policy, and you may have even signed something. Once you allowed them to share your health data, your right to revoke that consent is largely dependent on if the data is considered sensitive (ie substance abuse and mental health data) and your state and local laws.

It is shocking to me how far removed people are from the ownership of their health data. I’m really passionate about changing that. If anyone is interested in working on this problem feel free to reach out.

1. https://www.hhs.gov/hipaa/for-individuals/guidance-materials...


Aren't there major privacy concerns? It's so easy for an advertiser to get personal data from ad recipients that I'd expect private info could be inferred by the office just giving out patient's email addresses.


Here is a link to the Cleveland Clinic's NPP as an example. I'm not sure which health system the OP was referencing.

https://my.clevelandclinic.org/-/scassets/files/org/about/pr...

If you look under Authorizations for other uses and disclosures there is language around using healthcare data for marketing. Specifically:

> For example, most uses and disclosures of psychotherapy notes, uses and disclosures of health information for certain marketing purposes, and disclosures that constitute a sale of health information require your written authorization.

It is very likely that in the many pages of paperwork you fill out when you are starting to see a new physician, you agree to have the health system share your health information for marketing purposes.

There is also more general language around contacting a patient via email:

> Contacting You. We may use and disclose health information to reach you about appointments and other matters. We may contact you by mail, telephone or email. For example, we may leave voice messages at the telephone number you provide us with, and we may respond to your email address.

I think these would be enough of a defense if the OCR ever audited the practice around marketing emails received by patients.

At the core of it, I'm not sure that this is such a bad thing. For example, targeting diabetics with ads for more effective insulin treatments hardly seems like a bad thing. I just think it is wrong that the patient is so far removed from the picture.


HIPAA aside if you have unsubscribed and you continue to receive email... you might be able to go after for violators can spam act... check it out here https://www.ftc.gov/tips-advice/business-center/guidance/can...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: