Modred189
Can't Read the OP
- Joined
- May 24, 2006
- Messages
- 16,320
Well, Any identifiable information plus healthcare related status =PHI under HIPAA. Panera is not a healthcare company (a "Covered Entitiy"), so HIPAA does not apply in this case. So, to trigger any state breach laws, you need to check certain boxes. in almost all states, the kind of information here, because it is either public, or cannot be used by a hacker to do anything, doesn't check those boxes.I'm pretty sure (not a lawyer, so I reserve the right to be wrong) that just acknowledging "status" like patient (or account holder for panera) along with PII is enough to qualify as PHI. It just has to meet the requirements of relating to the provision of, or payment for past, present, and future services... being a patient is related to the provision of healthcare services.
There's a good argument to be made here. The problem is how far do we go? I don't think we should go as far as the EU, where the privacy of personal information is a "fundamental right," as that makes many modern internet services nearly impossible. But I think breach laws as they stand do a pretty good job of delineating how much and what kind of data will result in a legal "breach."That's the problem, we (as a society) haven't recognized the value of this data yet. I do think this is starting to change, but we've got a ways to go.
OK, so that's not a breach where there was a hacker that took information. This guy worked for a covered entity and intentionally took PHI for personal gain. That's a WHOLE different scenario, and one I can agree is deserved. Just as if a hacker in a HIPAA breach is found, he should go to jail too. But in neither case should the company be held responsible... or unrelated c-suite individuals.Fines can be civil penalties too, criminal penalties like jail time are only warranted in cases of criminal negligence, and the burden of proof is understandably much higher. As far as WHO - it depends. There's plenty of precedence regarding criminal negligence, this isn't exactly breaking new ground. Small companies? Tough shit. Do we give small companies a pass on environmental regulations?
I'll just leave this here:
https://www.justice.gov/usao-edtx/pr/former-hospital-employee-sentenced-hipaa-violations