Theoretical legal question about possible HIPAA violation

[Roderick_Femm]

Let’s suppose, for the sake of this discussion, that I had contacted an internet site about ED medicine. They took relevant medical history, they have a doctor on staff who can write prescriptions, and they both wrote and filled a prescription. Part of the information they gathered about me was my email address.

Now let’s say that, a few days later, I started getting spammed from several other companies offering to sell me ED remedies, and that I have never received these kinds of emails before.

Under these (imaginary) circumstances, is there any way that a case could be made that the internet site which prescribed and sold me the ED remedy then sold that information about me to third parties, and that this was a violation of HIPAA?

eta: as part of the suppositions for this thread, suppose that there was no communication about nor offer to opt in or out of them selling my information to other companies.

[Procrustus]

There might be a HIPPA violation.

But you can’t do much about it.

Can a patient sue for a HIPAA violation? There is no private cause of action in HIPAA, so it is not possible for a patient to sue for a HIPAA violation. Even if HIPAA Rules have clearly been violated by a healthcare provider, and harm has been suffered as a direct result, it is not possible for patients to seek damages, at least not for the violation of HIPAA Rules.

[Roderick_Femm]

Could they be reported, and suffer some sort of penalty? My personal damage in this theoretical case would be so slight as to be almost negligible.

[Procrustus]

Roderick_Femm:

Could they be reported, and suffer some sort of penalty? My personal damage in this theoretical case would be so slight as to be almost negligible.

From the same article I cited above:

If HIPAA Rules are believed to have been violated, patients can file complaints with the federal government and in most cases complaints are investigated. Action may be taken against the covered entity if the compliant is substantiated and it is established that HIPAA Rules have been violated. The complaint should be filed

with the Department of Health and Human Services’ Office for Civil Rights (OCR).

[Telemark]

Roderick_Femm:

Could they be reported, and suffer some sort of penalty? My personal damage in this theoretical case would be so slight as to be almost negligible.

One problem here is that you have no idea how the information got to the advertisers. Your ISP may have logged you connecting to a particular URL and sold that information.

[Tom_Tildrum]

Did you do any searching that led you to that site?

[jaycat]

They could incur hefty fines. Talkin’ big bucks here.

[Procrustus]

Tom_Tildrum:

Did you do any searching that led you to that site?

Good point. Just by opening this thread we can all expect an uptick on similar spam.

[Roderick_Femm]

Tom_Tildrum:

Did you do any searching that led you to that site?

Let’s say theoretically no. Let’s say it was based on an advertisement viewed offline.

[Roderick_Femm]

Procrustus:

Good point. Just by opening this thread we can all expect an uptick on similar spam.

How would that work? Are you saying that our real email addresses are just there for the taking by any spammer who wanders by?

[DavidwithanR]

Roderick_Femm:

How would that work? Are you saying that our real email addresses are just there for the taking by any spammer who wanders by?

An email is a postcard - it has the sender’s and receiver’s addresses visible, and anyone who encounters it (even by chance) can read the whole thing.

[HoneyBadgerDC]

I have wondered the same thing. I went to Kaiser to have my ears checked and they recommended a hearing aid. For the next 6 months I was bombarded with hearing aid adds. These started coming within 3 days of my visit.

[Roderick_Femm]

DavidwithanR:

An email is a postcard - it has the sender’s and receiver’s addresses visible, and anyone who encounters it (even by chance) can read the whole thing.

I don’t follow what that has to do with clicking on this thread. Or did you not read Procustus’ post to which I was responding?

[DavidwithanR]

Roderick_Femm:

I don’t follow what that has to do with clicking on this thread. Or did you not read Procustus’ post to which I was responding?

I was replying to your semi-rhetorical question, saying “In fact, yes, your real email address IS just sitting there available for the taking, unless you have gone to great lengths and endured massive inconvenience to remedy that.”

It isn’t hard to “connect the dots” of your network access times, addresses, etc. The information on you is available for sale to anyone.

[elfkin477]

I think it’d be very difficult to prove that it wasn’t a coincidence. I’ve never had an erection nor will I ever, but over the years I’ve gotten hundreds of spam messages for all sorts of make your penis bigger, thicker, harder, longer etc. Clearly they’re not targeted messages much of the time.

[wolfman]

It is completely unrealistic, and impossible to believe that you have never recieved those kinds of emails before.

[Roderick_Femm]

wolfman:

It is completely unrealistic, and impossible to believe that you have never recieved those kinds of emails before.

Perhaps my email providers have been effective in keeping out the widely broadcast spam, such as elfkin477 perhaps received, while targeted ones might get through. I don’t know. All I can say is that I personally have not had any in a very long time, and if I were in the hypothetical situation that I described, I would consider the coincidence too telling to dismiss.

[steatopygia]

Most people aren’t bound by HIPAA rules. Police, cab drivers, and presumably ISPs all have no obligation of confidentiality.

[Roderick_Femm]

steatopygia:

Most people aren’t bound by HIPAA rules. Police, cab drivers, and presumably ISPs all have no obligation of confidentiality.

They are not an ISP. They are a website. Theoretically, they give out medical advice, and prescriptions for several medical conditions (not just ED). If they are not practicing medicine without a license, then wouldn’t they be subject to medical confidentiality laws?

I seem to remember, on the other hand, that my most recent new IRL doctor did have me sign some kind of paper about HIPAA, I think it was just that I understood about medical confidentiality. If this theoretical website didn’t do that, perhaps that gets them off the hook.

[steatopygia]

As I’m sure you know, there are many routes to prescription drugs over the internet, some legal, some not.
In the US laws vary among states and are still in a state of flux. According to one site “Plushcare” which seems to be a US site promoting the use of online doctors,

** "Prescription policies also differ from doctor to doctor, platform to platform. Most online doctors will not prescribe medications that require an in-person exam. That includes Viagra and other lifestyle medications. Some prescriptions that our PlushCare doctors will not write include:

Medicinal marijuana
Antipsychotic medications such as Seroquel, Zyprexa, Risperdol
Stimulants, including Adderall and Ritalin
Narcotics, like morphine, oxycodone, and Vicodin
Sedatives and sleep aids, including Xanax, Ambien, Ativan, and Lunestra**".

So lets call this set of policies “legal”. You’ll notice that they state drugs like Viagra call for an in person exam and they won’t prescribe them. So prescribing ED drugs without an exam could be state specific or IMHO *less *legal. Or more likely, not a US operation. Once you start down the not quite above board pathway I would think you would also be less likely to have HIPAA protection.

All speculation, I have no direct experience with online prescribing or pharmacies.