Hello Guest, Welcome to Apnea Board !
As a guest, you are limited to certain areas of the board and there are some features you can't use.
To post a message, you must create a free account using a valid email address.

or Create an Account


New Posts   Today's Posts

Dreamstation 2 encryption and HIPAA
#1
Dreamstation 2 encryption and HIPAA
Howdy all - 

Doing a bit of thinking today about how we're unable to access our own medical/therapy information from the machines we own, and I believe this might actually be a HIPAA violation.

Per HIPAA, we (as patients) have the rights to view our own tests/therapy information, and Doctors and Pharmacists and medical device manufactures who transmit our information electronically are covered by HIPAA I believe.

Therefore, if we request the information, they are legally bound to provide it, in the format we request (on paper, or electronic).  

Are there any attorney's out there that might be able to weigh in?  

As a test, I've sent an email to Philips Respironics officially requesting my therapy info.  Maybe we can force an 'unencrypted' save mode, or something, to re-enable us to use Oscar?

Thanks!
j
Post Reply Post Reply
#2
RE: Dreamstation 2 encryption and HIPAA
Take it back and tell them you want a real machine.. tell them to give you a Resmed.
Thank you,
Brent aka Factor

Just a Regular guy.
My untreated AHI was 87.  You can do it hang in there.
"You can if you will"   Jerry Kramer

Got OSCAR?
Organize Charts
Optimizing Therapy

My Story
Post Reply Post Reply
#3
RE: Dreamstation 2 encryption and HIPAA
When making a claim such as this, you really need to cite the paragraph within HIPAA that supports your claim.
Post Reply Post Reply
#4
RE: Dreamstation 2 encryption and HIPAA
That's an option for me, but not an option for a lot of people. I'd rather get a way anyone who has the machines can still get at the data. If we can make it painful for them to keep it encrypted from us, then that might work.
Post Reply Post Reply
#5
RE: Dreamstation 2 encryption and HIPAA
Can an individual, through the HIPAA right of access, have his or her health care provider or health plan send the individual’s PHI to a third party?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
Yes. If requested by an individual, a covered entity must transmit an individual’s PHI directly to another person or entity designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. See 45 CFR 164.524©(3)(ii). A covered entity may accept an electronic copy of a signed request (e.g., PDF or scanned image), an electronically executed request (e.g., via a secure web portal) that includes an electronic signature, or a faxed or mailed copy of a signed request.


(URL:  2036-Can an individual, through the HIPAA right of access, have his or her health care provider or health plan send the individual’s PHI to a third party? | HHS.gov )

Are medical device makers covered by HIPAA?

Yes.  Medical Devices and HIPAA Compliance: What to Know | Health IT Answers  

What I'm not sure about is if they are only covered for the 'You must protect the info' or if they are fully covered, meaning since their system stores and displays our data, therefore they must allow us access.

I'm led to think here that if we all kept requesting, then this could be a pretty huge burden on them with a whole bunch of fines possible..
Post Reply Post Reply
#6
RE: Dreamstation 2 encryption and HIPAA
Philips is a device manufacturer. HIPAA applies to Covered Entities, which are:


Health Care Providers:
  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
Health Plans:
  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs
Health Care Clearing Houses

https://www.hhs.gov/hipaa/for-profession...index.html
Post Reply Post Reply
#7
RE: Dreamstation 2 encryption and HIPAA
HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.

What is a Business Associate?
A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. The list of business associates is long, and the range of companies included under the definition of business associate is diverse.

Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.
Thank you,
Brent aka Factor

Just a Regular guy.
My untreated AHI was 87.  You can do it hang in there.
"You can if you will"   Jerry Kramer

Got OSCAR?
Organize Charts
Optimizing Therapy

My Story
Post Reply Post Reply
#8
RE: Dreamstation 2 encryption and HIPAA
The HIPAA covered entity also includes 'clearinghouses, which process information from a non-standard form to a standard form' which I think (again, I'm not an attorney!) could be related to the raw data to what our providers use...
Post Reply Post Reply
#9
RE: Dreamstation 2 encryption and HIPAA
(07-16-2021, 03:31 PM)factor Wrote: HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.

What is a Business Associate?
A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. The list of business associates is long, and the range of companies included under the definition of business associate is diverse.

Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.

The role of the business associate is to allow covered-entities to provide services. So yes, HIPAA can apply to them but in a much different capacity than how HIPAA is applied to covered-entities. In the context of this topic, to find philips in violation of HIPAA because they are encrypting the data is absurd. 

Access to our PHI, as defined by HIPAA is a function of covered-entities not business associates of covered entities.
Post Reply Post Reply
#10
RE: Dreamstation 2 encryption and HIPAA
Thanks Brent - so this still leads me to think we might be on to something.  HIPAA requires them to both protect the data and provide the data when asked to do so.

My goal isn't to try to flag them as non-compliant due to their encryption practice, but perhaps I can flag them on the requirement to provide me or my designate the information in a consumable format.  I, for one, am happy they are encrypting the data, but still want to be able to (and legally should be allowed to) see my own data.

J
Post Reply Post Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
Information [Admin Note] Apnea Board now operating under SSL encryption SuperSleeper 3 1,684 06-09-2023, 11:48 PM
Last Post: SuperSleeper
  Dreamstation 1 to Dreamstation 2 - hardly any water use Lazagna 4 1,709 10-22-2022, 06:59 PM
Last Post: Tampa Jim
  [CPAP] Dreamstation 2 vs. Dreamstation 1 Pressure FOMO 2 1,532 09-18-2022, 07:59 PM
Last Post: FOMO
Arrow [Admin Note] Is there a HIPAA compliance attorney or compliance officer in the house? SuperSleeper 1 1,279 04-22-2022, 01:51 PM
Last Post: OpalRose
  Encryption key for DS2 data? cathyf 0 630 10-20-2021, 03:11 PM
Last Post: cathyf
  [CPAP] Philips Dreamstation & Dreamstation Go Different AHI? Thedudefino 2 1,300 05-31-2021, 11:33 AM
Last Post: Thedudefino
  [News] New HIPAA Rules Fortify Patient Privacy ApneaNews 0 2,080 01-22-2013, 10:55 AM
Last Post: ApneaNews


New Posts   Today's Posts


About Apnea Board

Apnea Board is an educational web site designed to empower Sleep Apnea patients.