Posted by ert on January 18, 2019, at 14:18:41
In reply to Re: Designation of a data protection rjlockhart37, posted by ert on January 18, 2019, at 14:04:40
> > > > Is hsiung a covered entity: yes
> > > > Does he transmit that data electronically: yes
> > > > Does he possess PHI and Individually identifiable health information data: yes
> > > > Does he disclose it: yes, to the public
> > > > Does he allow to revoke a given permission for a disclosure: no
> > > >
> > >
> > > from hhs.gov
> > >
> > > Criminal Penalties. A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice is responsible for criminal prosecutions under the Priv
> > >
> > > he also sells it...
> > >
> > >
> >
> > by definition it is not necessary to be a patient from Hsiung. But there's a catch. he were not a covered entity, the Hipaa would not apply. that's how I understand it. but many other laws are violated too.
>
> 45 CFR 164.514
>
> the de-idenfication is not sufficient. e.g. names, geographics subdivisions but notably <any other unique identifying characteristic too>. furthermore the posts can be puzzled together.
>
>45 CFR 164.514
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone OR IN COMBINATION WITH OTHER REASONABLY AVAILABLE INFORMATION, by an anticipated recipient to identify an individual who is a subject of the information; and
poster:ert
thread:1102664
URL: http://www.dr-bob.org/babble/admin/20151112/msgs/1102854.html