By Kashmir Hill
Originally posted October 21, 2014
Here is an excerpt:
Much like a Facebook policy change, it seems that doctors and patients wound up having data exposed or used in a way they didn’t expect. But this is a much more serious case in that it involves sensitive health conditions. Medical privacy laws spell out explicitly what health providers and their “business associates,” a.k.a. vendors, are allowed to do with patient information. While Practice Fusion says contacting patients for reviews is a service done on behalf of doctors — as is required by HIPAA — the cynical take is that they used their access to patient records for business purposes — to build a review site to compete with ZocDoc and Yelp.
Deven McGraw, a medical privacy law expert at the Center for Democracy and Technology, was also troubled by the messaging. “Anything they want to do with patient data, they’re supposed to do on behalf of the doctor. It’s not a license or invitation to take the data you get and use it for your own business purposes,” she says.
The entire story is here.