68 Matching Annotations
  1. Mar 2024
  2. Oct 2023
    1. Protected health informationmeans individually identifiablehealth information:(1) Except as provided inparagraph (2) of this definition,that is:(i) Transmitted by electronicmedia;(ii) Maintained in electronicmedia; or(iii) Transmitted or maintainedin any other form or medium.

      The definetion of PHI.. without regulatory exclusions. The exclusions being listed in the following section.

    2. Individually identifiable healthinformation is information thatis a subset of health information,including demographicinformation collected from anindividual, and:(1) Is created or received by ahealth care provider, health plan,employer, or health careclearinghouse; and(2) Relates to the past, present,or future physical or mentalhealth or condition of anindividual; the provision ofhealth care to an individual; orthe past, present, or futurepayment for the provision ofhealth care to an individual; and(i) That identifies the individual;or(ii) With respect to which thereis a reasonable basis to believethe information can be used toidentify the individual

      This is the definition of "Individually Identifiable Health Information". It is not clear from this section if this is equivalent to the "PII" concept. But it does indicate that it includes at least a subset of information that also counts as "PHI".

    3. ii) A person that offers apersonal health record to one ormore individuals on behalf of acovered entity

      A PHR is a covered entity if it offers its PHR "On Behalf Of" a covered entity.

  3. Sep 2023
    1. February 25 telebriefing
    2. On February 9,2020, using publicly available data, a senior health official from the U.S. Department of VeteransAffairs warned key senior officials that COVID-19 was more transmissible and deadlier thanH1N1 and the U.S. was only a “couple of weeks” behind the spread in China

      A search fails to reveal these communications.

    3. In its February 24, 2020supplemental funding request, the Office of Management and Budget wrote, “[t]o this point, noagency has been inhibited in response efforts due to resources or authorities.

      Here is some reporting on this supplemental reporting request. But I am unable to find the funding request itself.

      https://www.politico.com/news/2020/02/24/trump-coronavirus-budget-request-117275

    4. The Strategic National Stockpile distributed the last of its PPE held for states on April 19,2020—the same day it made the decision to begin allocating PPE based on need, not population.

      I cannot find this information in other places easily.

    5. in May 2020 when the federal governmentdecided to extend a one-year federal PPE contract to that same PPE manufacturer, the companydeclined the contract offer

      Have not been able to find record of this decline.

    6. When one domestic PPE manufacturer sent multiple warnings and requests toramp up U.S. production throughout the months of January, February, and March 2020, thefederal government declined to engage

      Have not been able to find this. Which PPE manufacturer? Are these warnings published?

    7. conflicting internal accounts of not only whatwent wrong, but also the reasons for those failures

      Begs the question. Why did the CDC efforts fail initially.

    8. . Ultimately, the Trump Administration waited until March16, 2020—fifty-five days from the date of the first confirmed case—to implement its first widescale attempt at nationwide mitigation of viral spread.
    9. Alex Azar declared a public health emergency
    10. as early as mid-December 2019

      The apparent source of this information is a study done by the CDC in Nov 2019.

    11. initiating export bans on personalprotective equipment (PPE

      Here is one such article on the EU banning the export of PPE.

    12. identified rapid construction of a new 1,000 bed hospital in Wuhan,

      Here is one such report from NPR.

      China Builds A Medical Center From Scratch In Under 2 Weeks

      This article was published Feb 2 2020.

    13. U.S. Department of Health andHuman Services’ (HHS) Centers for Disease Control and Prevention (CDC) learned of anemerging novel pathogen, now known as SARS-CoV-2

      First learned of Virus.

    1. Over the last 10 years, we’ve lost 360,000.  These are people that have died from the flu — from what we call the flu.  “Hey, did you get your flu shot?”  And that’s something.

      President Trump admitting that he was not aware that influenza was a public health problem.

    2. The Johns Hopkins, I guess — is a highly respected, great place — they did a study, comprehensive: “The Countries Best and Worst Prepared for an Epidemic.”  And the United States is now — we’re rated number one.  We’re rated number one for being prepared

      This study appears to be the Global Health Security Index 2019 report, which is hosted by Johns Hopkins School of Public Health along with the Nuclear Threat Initiative (NTI), with help from the Economist.

      This is the annotation of the United States favorable score.

    1. 1 United States

      Presumably, this is the score for Global Health Security Index, in which the United States scores as first, mere months before the COVID-19 pandemic began.

      This score was referenced by Trump in an White House Press briefing on Feb 26, 2020.

  4. Apr 2023
    1. proprietary information of such manufacturer (as determined by the Secretary)

      It is the secretary that determines what information is proprietary.

    1. A list of data the agency intends to collect, use, oracquire to facilitate the use of evidence in policymaking.

      not clear if this is all of the data the agency collects, or just those that impacts policymaking, or just that "is intended" to have such purpose.

  5. Feb 2023
    1. Concurring Statement of Commissioner Christine S. Wilson

      This document is the discussion of one FTC commissioner on the GoodRX FTC compliant and proposed order.

    1. we admit no wrongdoing

      Which means that as far as patient privacy is concerned, GoodRX has no integrity and its reputation is deservedly destroyed.

      This is a "lawyer" response.

      It will not keep GoodRX from being sued. It will not reduce the liability. But saying this, is an absolute indication that this is a classic non-apology and failure to take responsibility.

      Recall, specifically, that a Facebook user discovered that their medication information was in Facebook because GoodRX had put it there.

      To classify this as no-wrongdoing is intellectually dishonest. Especially when GoodRX itself previously categorized this mistake as "not living up to our own standards". Note that this link is to a blog post that GoodRX has since taken down. Not a good look to declare now that you did nothing wrong, when you previously admitted that you had done something wrong, and then you took down that blog post. The url for that blog post now forwards to GoodRX privacy policies (i.e. the privacy policies that they failed to honor, which is what got them in hot water with the FTC)

      Again, quoting from that now-deleted blog post: "For this we are truly sorry, and we will do better. "

      So this letter on the privacy problems is a redaction of the previous position which was "Yeah we were sharing data with Facebook.. we should not have been.. we will stop doing that, and we are sorry".

      GoodRX could have chosen to notify all of its users of this problem at that time, but chose not do so, putting it in violation of the FTC breach notification rule.

      So no matter how you cut it, this is an example of wrong-doing, GoodRX did mess up, and they have never taken full responsibility for their mistakes. Indeed what little responsibility they have taken, this article largely unwinds.

      GoodRX does a valuable and critical service for patients. I will continue to recommend it to patients. But I will state, clearly, that GoodRX will sell patient data in unethical ways, and that this is the decision that patients need to make as the decide whether to have discounted medications or privacy.

      GoodRX current position is that patients must choose one or the other. Privacy or affordable medication. Not both.

      -ft

    2. protecting our users’ privacy is one of our most important priorities

      If this were true. This article would not be necessary.

      I think its fair to say that privacy is a "priority" for GoodRX. But not "one of our most important".

      The fact that this non-apology letter exists indicates that your legal liability concerns and investor relations issues are far more important than patient privacy.

      If patient privacy were "one of our most important" priorities at GoodRX then this document would be a readout of a post-mortem on the mistakes made and the steps taken to address those mistakes.

      The FTC compliant specifically states:

      GoodRx also did not have any employee, manager, executive, or team formally dedicated to the management or oversight of GoodRx’s company-wide privacy and data sharing practices

      GoodRX now has full-time privacy executives. But at the time, patient privacy was not so important that they could have someone attached to it. Not sure what "top priority" means, but this does not sound like it.

    3. confidentiality provisions in place

      This is not true.

      They shared data with Facebook and Facebooks "confidentiality provisions" say "This is ours now and we will make this public". And they did in fact share the information. Which is how the watchdog found out about it.

      Specifically, the FTC stated in its compliant:

      ...GoodRx has taken no action to limit how Advertising Platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio, could use the personal health information it shared with them. Rather, GoodRx agreed to each of these third parties’ standard terms of service, or entered into agreements that permitted each Advertising Platform to use GoodRx users’ personal health information expansively, including for other advertising or for their own internal business purposes

    4. primarily IP addresses and web page URL information related to looking at content

      The FTC compliant contradicts this saying:

      This included the name of the medication for which users accessed a GoodRx Coupon (“Drug Name,” such as “Lipitor”); the website URL, which in many cases included a medication name; the health condition related to the medication (“Drug Category,” such as “high cholesterol”); the medication quantity (“Drug Quantity,” such as “30-day supply”); the pharmacy name (“PharmName”); and the user’s city, state and zip code. The pixel also collected website microdata with additional information about the prescription medication and health condition(s) for which users accessed GoodRx Coupons. Finally, the pixel collected users’ IP addresses. In May 2019, GoodRx configured the pixel to automatically share with Facebook additional personal information, including user first and last name; email address; phone number; city, state, and zip code; and gender

    5. We are thoughtful and disciplined about what information we gather and how and why we use it.

      Just to be clear.

      GoodRx took information from its customers. Promised that it would not share information with third parties, and then shared it with Facebook anyway.

      The FTC Compliant summarizes the matter like this:

      GoodRx’s privacy policy representations described above were false and deceptive. In fact, since 2017, GoodRx has shared its users’ personal and health information with Advertising Platforms and other third parties in violation of its promises, including for targeted advertising, without providing notice or obtaining affirmative express consent

      Everything you read after this should be with this in mind.

    6. You can view the full terms of the settlement

      It is interesting that GoodRX chose not to link to the original compliant, which includes the details that contradict the statements made on this page.

      Here is the link to the GoodRX FTC Compliant.

    7. These statements are neither promises nor guarantees

      It is very hard to believe in commitments made in documents when the document itself sends a notice to regulators that these are "not promises".

    8. While we may elect to update such forward-looking statements at some point in the future, we disclaim any obligation to do so, even if subsequent events cause our views to change.

      While I understand that this is boilerplate language for a public company, it reduces trust to say "If we change our mind and our policies, we reserve the right to keep this page up as it is".

      This is a strong indication that this document exists as a message to investors and regulators primarily and not as letter to the patient community that make up GoodRX customers.

    9. We’ve worked hard to earn that trust.

      It is more reasonable to say:

      "We have worked hard to monetize this trust, without totally panicking our customers" which is a more accurate statement.

    10. GoodRx is a leader on data privacy.

      Citation Needed.

      The evidence against this.. is that this web page was ever nessecary.

    11. No medical records were shared.

      As noted before this is false.

    12. No medical records were shared.

      This is disingenuous and demonstrably false.

      First, using the pixel was just one of the problems that the FTC covers. GoodRX injected specific medication data labels into the Facebook Graph, which means that portions of medical records were injected into Facebook by GoodRX.

      This sentence might say "We did not explicitly share medical records with Facebook using the pixel". And be true.

      Because even the fact "John Smith uses GoodRX to purchase medical information" meets the criteria for Personal Health Information under US law. This kind of information would count as Social Determinate of Health data which is now commonly part of Electronic Health Records.

      This means that Facebook could have inferred portions of a medical record using the pixel on the GoodRx website.

    13. The Facebook pixel continues to be used by many websites on the Internet, including U.S. Government websites, insurance companies, hospitals and others.

      This is actually a good point.

      In fact, I would suggest that GoodRX point out that only within the last month or two did Health and Human Services (HHS) Office of Civil Rights (OCR) clearly release guidance that the Facebook pixel was not HIPPA compliant.

    14. At that time, we also added a number of new, industry-leading ways for consumers to protect their privacy, including an option to request the deletion of personal data.

      This feature is required for GDPR compliance. GDPR does in fact cover US companies when they grow so large that they have EU citizens as customers.

      GDPR came into effect in 2018, but it was complete in 2016.

      This means that the single example from GoodRX of a "new industry leading way of protecting privacy" is in fact mere-compliance with industry regulation and best practice.

      This is another example of GoodRX holding themselves out to be leaders, when in fact they are clearly playing a game of catch-up regarding their privacy practices.

    15. took action to be an industry leader on privacy practices

      This is a very generous way to refer to action that can only be classified as "we stopped screwing up" or "we were no longer abusing the privacy of our customers".

      This is like saying "Last year we could not field an NBA team, and this year we can! Which is essentially the same as winning and NBA championship". Merely being in the NBA != being a championship team.

    16. to advertise in a way that we believe was compliant

      There are only two possibilities:

      A. GoodRX understood exactly how the "Facebook data vacuum cleaner" worked, and decided: 'other people are doing this too.. so it is OK for us to do it'

      or

      B. GoodRX (like the rest of the world) did not really understand how Facebook operated until a watchdog told them that they were publishing medication data by advertising in the way they were.

      If GoodRX understood what it was doing with Facebook (A) then it would have known that what it was doing was clearly a violation of their own privacy policies and therefore an FTC breach notification.

      If GoodRX did not understand what it was doing with Facebook, then referring to this as "believing to be compliant" is disingenuous. "Believing that you are compliant" presumes that you have a reasonable understand of what you are doing.

    17. proactively made updates

      If the CEO of GoodRX had discovered that they were putting patient data into Facebook for the world to see, and then decided "hey we should not be doing this" and then instituted a change to stop that from happening. That would be "proactive".

      But as the FTC compliant clearly documents, the actions that they took three years ago were in reaction to a privacy watchdog (and possibly more than one) discovering that they were sharing data when they should not.

      It is not reasonable to use the phrase "proactively" when the correct word by all accounts is "reactively". This is an inappropriate spin on their previous failure, and factually inaccurate

    1. GoodRx is not a HIPAA-covered entity

      This is confusing, since apparently a subsidiary of GoodRX is providing prescriptions through its service (making it certainly HIPAA covered) and then data from that entity was shared to Facebook by GoodRx...

    2. GoodRx issued a public response

      Here is that public response, which has not been taken down by GoodRX.. so it is only available on Wayback Machine

    3. GoodRx also did not have any employee, manager, executive, or team formallydedicated to the management or oversight of GoodRx’s company-wide privacy and data sharingpractices

      GoodRx refers to privacy as a "top priority".. but had no employees who were full-time assigned to working on it?

    4. Rather, GoodRx agreed to each of these thirdparties’ standard terms of service, or entered into agreements that permitted each AdvertisingPlatform to use GoodRx users’ personal health information expansively, including for otheradvertising or for their own internal business purposes

      This contradicts what GoodRX has said in its statements.

    5. In August 2019, HeyDoctor began prompting users to view a GoodRx Coupon formedications prescribed during their telehealth consultation. When a user did so, GoodRxconfigured the pixel to share information about the prescribed medication with Facebook,through a Custom Event called “drug.” It shared the medication name (such as “nitrofurantoin”);dosage (such as “100 mg”); form (such as “capsule”); whether the user was interested in viewingthe GoodRx Coupon (such as “interested: Yes”); and the name and location of the users’pharmacy (such as “Pharmacy: Capsule Pharmacy, New York, NY”). The pixel also sharedusers’ IP address, and website microdata with additional information about the prescriptionmedication and health condition(s) for which users accessed GoodRx Coupons.

      uhmm isnt this a HIPAA violation?

    6. This included the name of the medication for which users accessed aGoodRx Coupon (“Drug Name,” such as “Lipitor”); the website URL, which in many casesincluded a medication name; the health condition related to the medication (“Drug Category,”such as “high cholesterol”); the medication quantity (“Drug Quantity,” such as “30-day supply”);the pharmacy name (“PharmName”); and the user’s city, state and zip code. The pixel alsocollected website microdata with additional information about the prescription medication andhealth condition(s) for which users accessed GoodRx Coupons. Finally, the pixel collectedusers’ IP addresses.

      This is the details of what was collected by the pixel integration according the FTC

    7. For example, GoodRx created Custom Events with names like“Drug Name” and “Drug Category” that tracked and shared the prescription medication nameand health condition(s) associated with each unique GoodRx Coupon that users accessed

      This specifically contradicts GoodRX assertion that "medical records were never shared".

    8. GoodRx displayed a seal at thebottom of the HeyDoctor homepage
    9. GoodRx’s privacy policy representations described above were false anddeceptive. In fact, since 2017, GoodRx has shared its users’ personal and health informationwith Advertising Platforms and other third parties in violation of its promises, including fortargeted advertising, without providing notice or obtaining affirmative express consent.

      This is the center of the FTC compliant against GoodRX.

    10. [a]ny information we do receive is stored under the same guidelines as any healthentity.
    11. Sensitive Data Principle

      Here is the link to the DAA Sensitive Data Principle

    12. Digital Advertising Alliance principles
    13. Digital Advertising Alliance(“DAA”)

      Which can be found here

    14. However, we never provide advertisers or any other third parties any information thatreveals a personal health condition or personal health information.1

      This is the smoking gun. GoodRX made specific privacy commitments and then failed to live up to them.

    15. GoodRx receives a portion of a feethat pharmacies pay to PBMs when users purchase medications using GoodRx Coupons

      This is important because it means that GoodRX does not need to try and make money selling patient data. It has a business model, and violated patient privacy in search of another business model.

    16. labeled them bythe medication they had purchased

      This contradicts GoodRX statements that "no medical records were shared"

    17. Case No. 23-cv-460
    18. Until a consumer watchdog publicly revealedGoodRx’s actions in February 2020,
    1. GoodRx adheres to Digital Advertising Alliance principles.

      This is one of the places on GoodRX website where GoodRX mentions that they adhere to Digital Advertising Alliance principles.

      This is mentioned in the FTC Compliant about their privacy breaches.

    1. The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx

      This is the basic enforcement. I do not believe this went to court. And this is the first time this has ever been enforced.

  6. Oct 2016
    1. Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.34

      HIPAA pretty much rolls over for law enforcement. Hard to imagine a circumstance where the law would protect a healthcare provider who refused to cooperate with a warrant or other request that they felt was an unreasonable invasion of their patients privacy, or the doctor-patient relationship.

  7. Jun 2016
    1. The previous methodology assigns beneficiaries in two steps based on the plurality of primary care services furnished 1) by primary care physicians, and 2) by specialist physicians, nurse practitioners, physician assistants, and clinical nurse specialists.     In the final rule, we are revising the assignment methodology to remove certain specialty types whose services are not likely to be indicative of primary care services from Step 2, which places greater emphasis on primary care physicians.  Additionally, we will include primary care services furnished by nurse practitioners, physician assistants, and clinical nurse specialists in Step 1 to recognize the primary care delivered by these professionals. Finally, through rulemaking in the 2017 Physician Fee Schedule, we expect to propose that beneficiaries may attest that their main doctor is participating in a performance-based risk track ACO and be assigned to that ACO.

      This is as good a summary of the assignment changes as I have seen anywhere

    1. A) Yes. If charitable organizations participate in the Shared Savings Program through an ACO along with private parties, the charitable organization must be sure that it continues to meet the requirements for tax exemption to avoid adverse tax consequences. For example, its participation must: not result in its net earnings inuring to the benefit of private shareholders or individuals, and not result in its being operated for the benefit of private parties participating in the ACO. The IRS determines whether prohibited inurement or impermissible private benefit has occurred based on all the facts and circumstances.

      It says "yes" but many have argued that these two constraints essentially mean "no"

    1. Requirements.—An ACO shall meet the following requirements:

      These also seem to be the "purpose" of the ACO...

  8. Mar 2016
    1. In 2000, Seisint Inc. (now LexisNexis Group) developed a C++-based distributed file-sharing framework for data storage and query. The system stores and distributes structured, semi-structured, and unstructured data across multiple servers.

      Not sure if this counts as a predecessor to Big data...