Apnea Board Forum - CPAP | Sleep Apnea
Dreamstation 2 encryption and HIPAA - Printable Version

+- Apnea Board Forum - CPAP | Sleep Apnea (https://www.apneaboard.com/forums)
+-- Forum: Public Area (https://www.apneaboard.com/forums/Forum-Public-Area)
+--- Forum: Main Apnea Board Forum (https://www.apneaboard.com/forums/Forum-Main-Apnea-Board-Forum)
+--- Thread: Dreamstation 2 encryption and HIPAA (/Thread-Dreamstation-2-encryption-and-HIPAA)

Pages: 1 2

Dreamstation 2 encryption and HIPAA - JayCo - 07-16-2021

Howdy all - 

Doing a bit of thinking today about how we're unable to access our own medical/therapy information from the machines we own, and I believe this might actually be a HIPAA violation.

Per HIPAA, we (as patients) have the rights to view our own tests/therapy information, and Doctors and Pharmacists and medical device manufactures who transmit our information electronically are covered by HIPAA I believe.

Therefore, if we request the information, they are legally bound to provide it, in the format we request (on paper, or electronic).  

Are there any attorney's out there that might be able to weigh in?  

As a test, I've sent an email to Philips Respironics officially requesting my therapy info.  Maybe we can force an 'unencrypted' save mode, or something, to re-enable us to use Oscar?

Thanks!
j

RE: Dreamstation 2 encryption and HIPAA - factor - 07-16-2021

Take it back and tell them you want a real machine.. tell them to give you a Resmed.

RE: Dreamstation 2 encryption and HIPAA - Dog Slobber - 07-16-2021

When making a claim such as this, you really need to cite the paragraph within HIPAA that supports your claim.

RE: Dreamstation 2 encryption and HIPAA - JayCo - 07-16-2021

That's an option for me, but not an option for a lot of people. I'd rather get a way anyone who has the machines can still get at the data. If we can make it painful for them to keep it encrypted from us, then that might work.

RE: Dreamstation 2 encryption and HIPAA - JayCo - 07-16-2021

Can an individual, through the HIPAA right of access, have his or her health care provider or health plan send the individual’s PHI to a third party?

This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
Yes. If requested by an individual, a covered entity must transmit an individual’s PHI directly to another person or entity designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. See 45 CFR 164.524©(3)(ii). A covered entity may accept an electronic copy of a signed request (e.g., PDF or scanned image), an electronically executed request (e.g., via a secure web portal) that includes an electronic signature, or a faxed or mailed copy of a signed request.


(URL:  2036-Can an individual, through the HIPAA right of access, have his or her health care provider or health plan send the individual’s PHI to a third party? | HHS.gov )

Are medical device makers covered by HIPAA?

Yes.  Medical Devices and HIPAA Compliance: What to Know | Health IT Answers  

What I'm not sure about is if they are only covered for the 'You must protect the info' or if they are fully covered, meaning since their system stores and displays our data, therefore they must allow us access.
I'm led to think here that if we all kept requesting, then this could be a pretty huge burden on them with a whole bunch of fines possible..

RE: Dreamstation 2 encryption and HIPAA - Dog Slobber - 07-16-2021

Philips is a device manufacturer. HIPAA applies to Covered Entities, which are:


Health Care Providers:
  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
Health Plans:
  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs
Health Care Clearing Houses

https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

RE: Dreamstation 2 encryption and HIPAA - factor - 07-16-2021

HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.

What is a Business Associate?
A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. The list of business associates is long, and the range of companies included under the definition of business associate is diverse.

Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.

RE: Dreamstation 2 encryption and HIPAA - JayCo - 07-16-2021

The HIPAA covered entity also includes 'clearinghouses, which process information from a non-standard form to a standard form' which I think (again, I'm not an attorney!) could be related to the raw data to what our providers use...

RE: Dreamstation 2 encryption and HIPAA - Dog Slobber - 07-16-2021

(07-16-2021, 03:31 PM)factor Wrote: HIPAA also applies to business associates of HIPAA-covered entities and their subcontractors.

What is a Business Associate?
A business associate can be an individual or company that provides services to a HIPAA-covered entity which requires them to have access to, store, use, or transmit protected health information. The list of business associates is long, and the range of companies included under the definition of business associate is diverse.

Business associates of HIPAA covered entities include third-party administrators, billing companies, transcriptionists, cloud service providers, data storage firms – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmacy benefits managers, claims processors, collections agencies, and medical device manufacturers.

The role of the business associate is to allow covered-entities to provide services. So yes, HIPAA can apply to them but in a much different capacity than how HIPAA is applied to covered-entities. In the context of this topic, to find philips in violation of HIPAA because they are encrypting the data is absurd. 

Access to our PHI, as defined by HIPAA is a function of covered-entities not business associates of covered entities.

RE: Dreamstation 2 encryption and HIPAA - JayCo - 07-16-2021

Thanks Brent - so this still leads me to think we might be on to something.  HIPAA requires them to both protect the data and provide the data when asked to do so.
My goal isn't to try to flag them as non-compliant due to their encryption practice, but perhaps I can flag them on the requirement to provide me or my designate the information in a consumable format.  I, for one, am happy they are encrypting the data, but still want to be able to (and legally should be allowed to) see my own data.

J