this post was submitted on 10 Jul 2024
1730 points (98.8% liked)

Memes

44944 readers
2306 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
gary_host_laptop@lemmy.ml
sexy_peach@feddit.de
cyclohexane@lemmy.ml
cypherpunks@lemmy.ml
1730
please (lemmy.world)
submitted 1 month ago by user@lemmy.world to c/memes@lemmy.ml
206 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] Katana314@lemmy.world 33 points 1 month ago (15 children)

The moment a lawyer saves their medical records in a way that unintentionally and without their consent uploads them to OneDrive, they have a pretty solid case to charge Microsoft for a HIPAA violation.

[–] ShortFuse@lemmy.world 18 points 1 month ago* (last edited 1 month ago) (7 children)

HIPAA doesn't even require encryption. It's considered "addressable". They just require access be "closed". You can be HIPAA compliant with just Windows login, event viewer, and notepad.

(Also HIPAA applies to healthcare providers. Adobe doesn't need to follow HIPAA data protection, though they probably do because it's so lax, just because you uploaded a PDF of a medical bill to their cloud.)

[–] Katana314@lemmy.world 8 points 1 month ago (6 children)

HIPAA applies to whichever entity consciously chooses to move/store data.

Generally, after a patient downloads a healthcare-related item, they are that entity - and as the patient, they have full control/decisions about where it goes, so they can't violate their own HIPAA agreement even if they print it and scatter it to the wind.

BUT, if your operating system "decides" to upload that document without the user's involvement, then Microsoft is that entity - and having not received conscious permission from the patient, would be in violation. It's an entirely different circumstance if the user is always going through clear prompts, but their more recent OneDrive Backup goal has been extremely forceful and easy to accidentally turn on - even to the point of being hard to disable. As you said, encryption has nothing to do with it.

[–] ShortFuse@lemmy.world 3 points 1 month ago* (last edited 1 month ago)

No. Microsoft is not liable, at least when it applies to HIPAA.

The HIPAA Rules apply to covered entities and business associates.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103.

https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

load more comments (5 replies)
load more comments (5 replies)
load more comments (12 replies)