Friday, April 16, 2021

Dear Patient. Your Healthcare Data is No Longer Safe. Sincerely, HIPAA

Globally, patients need to take ownership of their own health information as the industry no longer protects them

Your medical data is no longer safe, in fact, it has been under threat for the last decade. Covid and the spread of remote technologies have now exacerbated the problem and highlighted data security in a way we may very have missed had it not been for the pandemic. Incremental change often goes unnoticed. Your personal information linked to your health records is at serious risk, as is your right to privacy.

For anyone in the health sector who doesn’t recognize this as a serious issue, ask yourself the following question. Do you realize that by collecting and disseminating your patient’s information, for the purposes of providing care and treatment, you may in fact be risking your patient’s potential future access to care and services? This current status quo, completely counterintuitive to the pursuit of good medicine, is, I assume, not what you signed up for.


If you arent American, don’t worry, this article affects you just as much, as the forces at play in healthcare in America pervade the industry globally. Your patient data is now freely available to commercial companies that have no business holding or dealing with medical records. This information or data is now used commercially to enable advertising and revenue streams, for selling you products and services or selectively punishing you with the refusal of services or increased premiums, all based on your medical profile, and increasingly, you covid vaccination status.

- Advertisement -

In this article, I will examine and provide evidence of how private American health care data is being exploited and commercialized, how companies like StarNetworkHealth and Vacmobile are placing your personal health information at risk. I will show you how HIPAA has not kept track of the flood of digital technology swamping healthcare and why it is in desperate need of modernization and strict regulation.

Our world in 1996 (HIPAA’s Birth Date) was a far cry from the one we now find ourselves in. Cellphones were heavy enough to inflict serious bodily harm and green screens still occupied office space. In much the same way social media requires a whole new raft of legislation designed specifically to regulate it, digital health requires its own set of regulatory guidelines, particularly with regard to protecting patients and their data.

To understand how the system currently functions and why this is happening we need to first examine the regulatory arm, ostensibly under the control of Health and Human Services (HHS). If this isn’t your cup of tea, you can skip over this section, but it is key to understanding the problem.

What is HIPAA?

In 1996 the importance of the security and privacy of patient data in the U.S. was recognized with the creation of a federal law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. 

The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. I

It’s important to understand exactly how this privacy rule functions, as it has an inbuilt flaw relating to the commercial use of your data by companies associated with healthcare, who don’t necessarily have anything to do with your health.

The HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. 

A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

All sounds really good and the principles that drive HIPAA are great, in theory, but there’s a rub, as I will show you, and it has to do with the part of the statement above I’ve highlighted in bold. Let’s look at two groups within that “covered entities” category.

  • Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
  • Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.

There a massive amount of scope within this definition. What exactly are the permitted uses for your health data currently under the HIPAA Privacy Rule? A covered entity is permitted, but not required, to use and disclose protected health information (PHI), without an individual’s authorization, for the following purposes or situation. Note, I’ve omitted the medically related conditions below, refer to the HPAA link above for a full list.

  • Public interest and benefit activities — The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes
  1. When required by law
  2. Public health activities
  3. Victims of abuse or neglect or domestic violence
  4. Health oversight activities
  5. Judicial and administrative proceedings
  6. Law enforcement
  7. Functions (such as identification) concerning deceased persons
  8. Cadaveric organ, eye, or tissue donation
  9. Research, under certain conditions
  10. To prevent or lessen a serious threat to health or safety
  11. Essential government functions
  12. Workers compensation
  • Limited dataset for research, public health, or healthcare operations

What Restrictions Regulate a “Covered Entity”?

To comply with the HIPAA Security Rule, all covered entities must do the following:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures
  • Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

There’s the rub, right there in that last paragraph. It is naive and ridiculous to expect commercial enterprises that are driven by profit to exhibit the professional ethics required of the health industry. They care about their bottom line and will sell your personal medical data down the commercial river at their first opportunity unless of course, they’ve inadvertently shared it already with the dark web.

Of course, if you inadvertently sign away your rights, then you’re completely at the mercy of these companies. Expecting private patients to understand and monitor their own data is an impossibility and the responsibility for the ethical management of patient data has to rest with the industry.

Covid Vaccines and Commercialization

To examine how your data is at risk I am going to use two companies, whose details were inadvertently provided to us by a PR firm, RLM Public Relations, via an unsolicited press release we most certainly aren’t going to promote. 

The companies in question are Vacmobile and VIP Star NETWORK. The former provides a mobile app for vaccination records and history and the latter uses vaccination data and related services to enable the movie industry and related companies to function in a vaccinated environment.

They are connected, feeding data to each other, and the first indicator of a warning flag was the following text contained in the marketing firm’s email.

Vacmobile Health Passes, which track COVID-19 test results and vaccinations, will allow individuals and organizations to safely resume face-to-face interactions. Vaccination records are required by law for school and college enrollment, some employment, international travel and other use cases.

The statement is a typical marketing one, stating one fact and then another. The two unrelated facts allow you to form an association. It’s a childish and overworked ploy and I despise its use in a healthcare setting. We see it used over and over by quacks and compnies creating false associations and fear to sell their versions of health.

Medika has made no secret of our views on vaccine-based passports. They are fundamentally flawed, open to data abuse, and discriminatory by their very nature. They also reduce the patient’s freedom of choice when it comes to getting vaccinated. We are not anti-vaccine at all, however, the covid vaccines can’t under any medical applied definition be classified as ‘tested’ vaccines that comply with normal industry standards.

These are Emergency Use Authorization (EUA) vaccines only, in many ways still experimental, and they are completing their last phase of testing in a live environment. If the vaccines fulfilled the FDA’s criteria for registration they would have received full authorization. This fact cannot be argued and to do so is disingenuous and misleading. We are in a jam with Covid and we’ve bent the rules to try and save lives. 

So let’s get back to our two companies and see how these companies, designed specifically to commercialize your PHI, are intending to and currently use your data. How are they regulated, what safety protocols have they engaged to protect your data, and will they use your personal information for purposes other than their stated objectives? Keep in mind there are hundreds of these companies entering the market now, each looking to exploit a different angle built around your data.

VIP Star NETWORK

Johonniuss Chemweno is the CEO of StarNetwork LLC and although we tried to locate information on him, aside from links to Inverse Medical Inc, which he owns and a consultancy called COREGENE ADVISORS, LLC, not much is publicly available on Mr. Chemweno or his organization. We, therefore, turned our attentions to Stars services and data practices

Their Customer facing Vaccine Platform redirects you to a WordPress login page, hardly cutting edge data security. WordPress is one of the most commonly exploited platforms and if your comfortable hosting your PHI on their servers, go right ahead, just count us out. Here are a few extracts from their HIPAA statement.

VIP StarNetwork, LLC cannot, however, guarantee that any such person or entity to which VIP StarNetwork, LLC discloses your PHI or other information will not re-disclose it in ways that you or we did not intend or permit.

You also agree that VIP StarNetwork, LLC can disclose your PHI to:

  • Third parties assisting VIP StarNetwork, LLC with any of the uses described above;
  • A third party as part of a potential merger, sale, or acquisition of VIP StarNetwork, LLC
  • Our business partners who assist us by performing core services (such as hosting, billing, fulfillment, or data storage and security) related to the operation or provision of our services, even when VIP StarNetwork, LLC is no longer working on behalf of Your Healthcare Providers;
  • Organizations that collect, aggregate, and organize your information so they can make it more easily accessible to your providers.

In other words, StarNetwork LLC is free to share your sensitive data with any person they choose and we can ensure you, they will profit from it.

How many companies are you actually engaging with when you deal with VIP Star Network? We found a few, aside from Mr. Chemweno’s associated businesses. These include https://gettested.me/ registered to LabLynx, VIP’s provider portal redirects to Kareo and according to the email we received Vacmobile is connected to their services. Their Covid laboratory of choice is SouthWest Labs. Their Telehealth platform is supported by Kareo. 

We assume the Access Health app is also a product of VIP. The following is taken from their site and doesn’t exactly foster confidence.

Screenshot by Medika Life

From what we can see, StarNetwork LLC engages services from various providers and white labels these under their own branding. When you deal with them or provide them your data, it isn’t simply their flawed HIPAA statement you’re dealing with, your data is being shared to a network of at least fifty more companies, half of which, at a minimum, have zero interest in your health and exist purely as commercial ventures. They are “Covered Entities” and they are turning a handsome profit from your information.

Vacmobile

Not in the same category as StarNetwork LLC, this startup is clearly looking to make inroads in the fields of data management for patients, particularly with regard to vaccination records, hence the name, and they may yet live to regret their association with Star.

Again, Covid vaccine passports are one of our least favorite applications and we feel these companies simply provide enabling tools for division and the enforcement of discriminatory practices against patients who choose not to be vaccinated or are unable to get vaccinated. Irrespective of their motivation, this is the end result of the tools they are building and this is neither healthy nor suited for society or healthcare.

But we aren’t here to discuss ethics, we’re here to look at your data’s safety and how it is used by this company. What steps have they taken to ensure your information is safe? Clearly, the first problem is their association with Star and while we understand the basis of the concept of Vacmobile is to address all vaccinations, they don’t distinguish between Covid and MMR. There is a world of difference, and they may well come to rue their desire to jump on the Covid passport bandwagon.

Their founder has roots in marketing rather than medicine. Jennifer Sparks, according to her profile, served as Director of Marketing for a Georgia-based healthcare IT company, Clearwave Corporation. In that capacity, she oversaw marketing, communications, and branding across all platforms including earned, paid, and social media, and aided in positioning the firm for a major infusion of growth equity capital.

Trust may be more easily accorded to Vacmobile. They list their staff and although social media accounts aren’t linked, it’s early days for the company. We love the concept of simplifying vaccine history, particularly for children, and would have supported the company wholeheartedly had they not made a foray into the dark world of the coronavirus.

They do not clearly list their data practices, disclose if their business has been audited for data security, or list the APIs they engage to communicate data between themselves and their customers, a common point of exploitation in the health networks. There is no HIPAA statement, privacy policy, or terms of use visible on the site. Based on this and the above-mentioned association, we would suggest this company poses a qualified risk to your data.

What can you as a patient do to protect yourself?

Very little is the honest answer. Most people are not in a position to knowledgeably question compliance statements and long-winded customer agreements, requesting you to sign your life away. License agreements like those encountered with Apple, Google, Microsoft, and Samsung have numbed us to the lengthy, long-winded fine print we now encounter everywhere. No one reads these T&C’s and we simply assume it will all be alright in the end.

This particular abuse of these documents to obfuscate health data farming is particularly unpleasant and the consumer doesn’t stand a chance of protecting themselves. This is why the healthcare industry should and must step up. That list of “Covered Entities” needs to be specified and clearly described. 

Practices that are deemed unethical need to be highlighted and heavy financial penalties must be exacted from businesses found to be in contravention. ALL Software applications and products need to be submitted for approval, ensuring that embedded A.I. isn’t quietly siphoning off commercially viable snippets of information. 

Audits must be performed and certification awarded to enable providers and patients to make safe decisions when selecting platforms for care. Again, these are industry-specific hurdles and the patient cannot affect this process. 

Patients can however make their opinions felt and heard. If it doesn’t look trustworthy, it probably isn’t. Steer clear and learn to ask questions. If you have the time, read the fine print. It‘s important. It is, at the end of the day, about your health. Remember businesses and application websites should provide public-facing copies of their data management policies and how they act to ensure your right to privacy.

Transparency is an indicator of a company that has your best interests at heart and their open policies tend to be patient-focused. This principle applies to both providers and patients alike who are seeking to expand their digital health footprint.

Digital Health is the brave new frontier of healthcare. It holds huge promise for improving the lives of patients and their access to care. It is critical that the industry ensures the adoption of this new flood of technology is correctly managed and a large part of this process relates to the ethical and responsible management of patient data.

- Advertisement -

Scroll down to comment or leave your thoughts on this article

PATIENT ADVISORY

Medika Life has provided this material for your information. It is not intended to substitute for the medical expertise and advice of your health care provider(s). We encourage you to discuss any decisions about treatment or care with your health care provider. The mention of any product, service, or therapy is not an endorsement by Medika Life

This article lives here: Healthcare Policy and OpinionDear Patient. Your Healthcare Data is No Longer Safe. Sincerely, HIPAA
Dr Robert Turnerhttps://cre8tive.media
Robert is a Founder of Medika Life. He is a published author and owner of Cre8tive Digital Media. He lives between the Philippines and the UK. and is an outspoken advocate for human rights. Access to basic healthcare and eradicating racial and gender bias in medicine are key motivators behind the Medika website and reflect Robert's passion for accessible medical care globally.

More from this Author

Leave a response to this article

RELATED ARTICLES

Paid Advertisement

LATEST ARTICLES

Paid Advertisement
%d bloggers like this: