Posted by ert on August 29, 2019, at 15:38:53
In reply to Re: Dr. Bob alias Robert C. Hsiung I have an idea, posted by rjlockhart37 on August 29, 2019, at 13:11:50
You do not seem to know your rights entirely, rjlockhart37. I myself did not know as much as I do now, until I glanced over some of the regulatory frameworks at the weekends.
That is what I have found out
is Dr. Robert C. Hsiung a covered entity? Yes. Then the HIPAA does apply.
Does Hsiung handle ephi that contains medical data and data ? Yes.
Does Hsiung release it to third parties? Yes.
What conditions do apply when a covered entity releases ephi to third parties (public domain)? It would have needed someones consent, a signature and clear conditions for revocation with a date (authorization form).As far as I understand, it is not necessary to be Hsiungs patient. When you send him medical data you are actually being treated by Dr. Hsiung and the HIPAA applies.
Clear conditions for revocation means, as far as I understand, that he must delete someones posts. This because all posts are connected together to a profile and the psychiatric ephi is consequently one entity. I am not completely sure, however. Psychiatric ephi is obviously not the same as an x-ray of a bone or a gynecologic image.
There are exceptions. For research purposes the identifiers can be removed without explicit consent or a form and then the data used offline. But that does not apply when ephi is released to third parties.
Furthermore in the FAQs it is stated that Hsiung collects demographic material so that he can characterize the community. But everyone else can characterize the community too demographic content such as professions, locations and so forth is identifying according to the HIPAA. And there is plenty of that in the archives. (connected) posts themselves can be identifying too. The HIPAA states that everything which can be used to characterize someone is identifying.
Robert C. Hsiung actually never had the participants consent with their signature and a date for revocation, therefore it can be argued that the content of the database got illegally built up over the twenty years it has been running.
So what does Hsiung wrong?
-it would have needed a signature or electronic signature. But what is more important is that
it would have needed clear conditions for a revocation with a date. In that particular case, the participants should be able to edit and delete their posts at best themselves.But what does Dr. Robert C. Hsiung do? - He warns in his consent that you risk to loose your job or you risk to land in jail when you post here. And the conditions for revocation are not mentioned in the consent but rather in the privacy section of the faqs, where it is stated that the leaders policy is to delete not entire posts.
If there was no HIPAA, the internet would be flooded immediately with medical data and doctors could make a lot of money. I think most countries have regulatory safeguards.
For the EU and its GDPR he must delete everything, for other judiciaries he must even destroy the hard drive.
With Hsiungs policy, participants rights are undermined, not respected and the participants potentially exposed to unnecessary risks. When Hsiung makes money for personal gain (the running costs subtracted) he is exploiting the participants.
As you said, rjlockhart37, it must be taken into account that the website started over 20 years ago.
For me it looks like it has been to some extent an ego project with that Hsiung could make career in the academic establishment and garner research grants (or finally make money with buttons). But of course I think too that it was not only that.
As I said, it is sure that this violates laws and it is sure too that I am sometimes wrong.
poster:ert
thread:1105881
URL: http://www.dr-bob.org/babble/admin/20151112/msgs/1105961.html