>With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
Based on the context from the article of the PHI uploaded being incidental, it would probably fall under this exception. It sounds like ESHYFT isn't meant to be storing any PHI based on the privacy policy above.
> I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.
It looks like providers accidentally uploaded some PHI.
IANAL so may be wrong, but I worked for a healthcare company. Whether HIPAA applies to them depends on if they are considered a covered entity or a business associate [0].
IMO they aren't bound to HIPAA requirements as a covered entity.
Business associate is a little tricky to determine. But business associates have to sign a BAA (Business Associate Agreement). And I doubt they would have signed one if they have that in their privacy policy.
Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant..
> Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant.
You seem to imply using GMail is a bad thing? I think GMail, when appropriately configured to handle PHI, is probably a million times more secure than some crappy bespoke "enterprise" app.
It isn't that hard to setup a secure SFTP server to automate the exchange. But then again this is a post about configuring a S3 Bucket with public access for SSNs.
The issue with Gmail is sending to the wrong email, sending to a broad email list, having people download it to their local machines. And the amount of PHI being transmitted in these files is larger than this s3 bucket.
>It isn't that hard to setup a secure SFTP server to automate the exchange
When you've got a trickle of information coming and going from hundreds or thousands of other individuals working at tens or hundreds of other entities it is.
You'd eventually wind up developing the kind of ridiculous "secure messaging and file drop" type service that every megabank builds on top of their SFTP and ticketing systems for that purpose. That stuff ain't cheap to run and keep running.
Better to just start with a solution that's 99% there.
Depends on the person. Northwest arkansas is a beautiful place with tons of outdoor activities and the ability to live like a king on a major company CTO salary. I'd rather live there than Seattle or San Francisco.
That link is for the CTO of Walmart, but TFA is about the CTO of Sam's Club.
It looks like they're one rung down the ladder so I'm sure they're doing just fine even in California, but they're probably making quite a bit less than $15M/year.
> Perhaps a better question is - if one can get an offer at other FAANGs and the equivalents... is there a reason to choose Amazon over others?
It kind of depends on the person. I've seen people go from Amazon to Google and they want to go back to Amazon because they are bored. Some people just thrive in high pressure environments. Also everything is pretty team dependent at FAANGs, you could end up at a bad team at any of them.
>If I were put in charge of Alexa, I really think I would lay everyone off and start with a tiny group of really good devs and move as fast as possible to get something approaching the voice version of ChatGPT with all the integrations working
Well, I guess we devs should also be looking at ourselves, then. A lot of the lax security comes from us collectively choosing to build applications using cloud services that talk to each other over the public internet. That pretty much describes the so-called "modern data stack."
They would be assessed according to rules written by people who are skilled at writing such rules. The rules would be evaluated by looking at data over time and revised as needed by experts in the industry who are as neutral as possible, maybe with some feedback from the public. The courts exist for any contention regarding responsibility.
Not entirely convinced the point was to convert the customers to the 8k price today. Seems like the data gained during the demo is the most valuable part long term. They can rinse and repeat offering a demo, gaining data, releasing a new version. As it gets better conversions will increase. All while moving toward their long term goal of fully autonomous driving.
As an addendum to "communicating" is documentation. That said, plenty of those who do document/communicate well can still suck at teaching/training at a higher level.
I'm dealing with this right now at another large company. Being asked to write a document for an integration we've done 20+ times because its part of someone else's larger promo project's design.
>With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
Based on the context from the article of the PHI uploaded being incidental, it would probably fall under this exception. It sounds like ESHYFT isn't meant to be storing any PHI based on the privacy policy above.
0:https://www.hhs.gov/hipaa/for-professionals/privacy/guidance...