Anonymous wrote:Demographic information without any accompanying health information is not protected under HIPAA. Whether she violated her employment or non-compete contract is another question that no one here can answer without a copy of that contract. But I’m guessing since she’s married to Eric Holder, she knows exactly what she can do under the terms of her contract.

https://www.hipaajournal.com/is-it-a-hipaa-violation-to-email-patient-names/

Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule.

*******

Patients names and other PHI should only be sent to individuals authorized to receive that information, so care must be taken to ensure the email is addressed correctly. Sending an email containing PHI to an incorrect recipient would be an unauthorized disclosure and a violation of HIPAA.

https://www.hipaajournal.com/considered-phi-hipaa/

Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual HIPAA identifiers. Demographic information is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, that when they are linked with health information become HIPAA identifiers.
The 18 HIPAA identifiers that make health information PHI are:
Names
Dates, except year
Telephone numbers
Geographic data
FAX numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate/license numbers
Vehicle identifiers and serial numbers including license plates
Web URLs
Device identifiers and serial numbers
Internet protocol addresses
Full face photos and comparable images
Biometric identifiers (i.e. retinal scan, fingerprints)
Any unique identifying number or code
One or more of these HIPAA identifiers turns health information into PHI, and PHI HIPAA Privacy Rule restrictions will then apply which limit uses and disclosures of the information. HIPAA covered entities and their business associates will also need to ensure appropriate technical, physical, and administrative safeguards are implemented to ensure the confidentiality, integrity, and availability of PHI as stipulated in the HIPAA Security Rule.

Anonymous wrote:

Anonymous wrote:I never went to her but I know lots of people who did and they loved her. I think we should give her the benefit of the doubt. Maybe she thought it was just her patient list? Also, she’s old. Tech is probably not her thing.

I’m not too worried about it.

I should have added, I’m a foxhall patient and got the letter

I feel this way too. Also a Foxhall patient why got the letter. The list did not contain private health info, only names and insurance company list.

Anonymous wrote:This is inexcusable. Based on her husband’s profession, you would think she would have known better, which makes it seem like she did this knowing it was wrong, like a better to ask forgiveness than permission situation. She and Alloy need to be held legally and financially accountable. The practice also should be held accountable by HIPAA as they did not have the proper protocols in place to prevent her from downloading this information. This breach has violated my trust in a practice that provides very personal healthcare for women and that should provide an atmosphere where patients feel safe.

Agree ignorance is no excuse & the practice should have better safeguards. I work at a law firm that has other lawyers that handle medical records as part of their practice, and *I* had to have HIPAA training and learn about the computer & information safeguards that are necessary to avoid unauthorized access to information. For that matter, the forms they have patients sign explains the law.

I am a current Foxhall patient but have not revived “The Letter”. While annoying, why is this a big deal? I receive 628383 marketing emails everyday from organizations to which I did not provide by contact information. Companies sell that information all of the time. What am I missing here?

I'm really surprised given her education and experience which I would assume would mean she has some good critical thinking skills, and who her DH is, that she would do this. That said, I never received a letter from Foxhall so no idea what it says. I did however get a random email from her about now being with Alloy.

She took each person’s name email and health insurance provider. The letter referenced HPPA in the opening paragraph.

Demographic information without any accompanying health information is not protected under HIPAA. Whether she violated her employment or non-compete contract is another question that no one here can answer without a copy of that contract. But I’m guessing since she’s married to Eric Holder, she knows exactly what she can do under the terms of her contract.

There's zero chance this was an oversight. Anyone practicing medicine knows you can never do what she did.
Her patients will have to decide if they're cool with her toting their personal info around with her home computer.

I wish there was a way to forward this entire thread to the Twitter account @BadLegalTakes.

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:This seems like a pretty clear theft of trade secrets. (Customer lists are trade secrets.) will be interesting to see what Foxhall does.

There is no way for a private person to sue for a HIPAA violation.

While not a suit, there is a complaint procedure:
Filing a Complaint
If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.

https://www.hhs.gov/hipaa/filing-a-complaint/index.html

THIS. HIPAA has no choice but to investigate.

HIPAA is not an entity, and therefore cannot investigate anything. But I appreciate that you spelled it correctly.

Anonymous wrote:

Anonymous wrote:Dr. Malone was in the practice when my oldest was born, 28 years ago. I left Foxhall long ago, so didn't get the email, but I can understand why patients who received it would feel uncomfortable. FWIW, my husband, who retired as a BigLaw partner recently, sent out an an email announcement to clients, but that was in cooperation with his partners and recommending that clients continue to work with another partner in the firm. Based on what I'm hearing now, the situation with Dr. Malone is quite different. I do have a lot of respect for Eric Holder, though, and would be interested in hearing their side of the story.

Sure, but legal client records aren't protected by HIPAA.

That's correct, but a question here -- among many questions -- is whether emails and insurance constitute client "records" under HIPAA.

I've been a patient of Foxhall for 14 years and haven't received any letters or emails. I only saw this doctor once when pregnant, and once during rounds when I was recovering in the hospital, which was about ten years ago. I am just hitting menopause so I would think I'd be within her target audience...but no letter for me.

Anonymous wrote:Just looked at her Twitter.

There is nothing whatsoever “bizarre” about her tweets.

This is a calculated attack.

I received the letter as a current patient of Foxhall and a former of patient of hers. What do you mean by “calculated attack”?
The letter was pretty straightforward, didn’t overstate or understate the situation. I have mixed feelings about it (like incredulous how the entire practice and individual doctors found themselves in this position right now!) but I’m not sure what you’re talking about with “calculated attack”?

Just looked at her Twitter.

There is nothing whatsoever “bizarre” about her tweets.

This is a calculated attack.

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:Yesterday she tweeted: “haters gonna hate.” Classy.

Doesn't sound like the remarks of a highly educated person.

Sounds like remarks of someone disrespectful of her former patients and HIPAA laws

I was a patient of hers and continue to be a patient at Foxhall, now with Dr. Pardo.
Dr. Malone is a highly educated person- there’s no questioning that. Her tweets are ridiculous. I couldn’t have imagined her being so unprofessional- yet, here we are. She seems like she’s in a bad head space right now. It doesn’t excuse what she did with our information but may explain these bizarre tweets.

I hate Twitter, but I did just go there to read her tweets. What is happening with her?