• Katana314@lemmy.world
    link
    fedilink
    English
    arrow-up
    34
    arrow-down
    2
    ·
    4 months ago

    The moment a lawyer saves their medical records in a way that unintentionally and without their consent uploads them to OneDrive, they have a pretty solid case to charge Microsoft for a HIPAA violation.

    • ShortFuse@lemmy.world
      link
      fedilink
      arrow-up
      18
      ·
      edit-2
      4 months ago

      HIPAA doesn’t even require encryption. It’s considered “addressable”. They just require access be “closed”. You can be HIPAA compliant with just Windows login, event viewer, and notepad.

      (Also HIPAA applies to healthcare providers. Adobe doesn’t need to follow HIPAA data protection, though they probably do because it’s so lax, just because you uploaded a PDF of a medical bill to their cloud.)

      • Katana314@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        4 months ago

        HIPAA applies to whichever entity consciously chooses to move/store data.

        Generally, after a patient downloads a healthcare-related item, they are that entity - and as the patient, they have full control/decisions about where it goes, so they can’t violate their own HIPAA agreement even if they print it and scatter it to the wind.

        BUT, if your operating system “decides” to upload that document without the user’s involvement, then Microsoft is that entity - and having not received conscious permission from the patient, would be in violation. It’s an entirely different circumstance if the user is always going through clear prompts, but their more recent OneDrive Backup goal has been extremely forceful and easy to accidentally turn on - even to the point of being hard to disable. As you said, encryption has nothing to do with it.

        • ShortFuse@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          4 months ago

          No. Microsoft is not liable, at least when it applies to HIPAA.

          The HIPAA Rules apply to covered entities and business associates.

          Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

          If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103.

          https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

        • lolcatnip@reddthat.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 months ago

          LOL. You really think Microsoft doesn’t have an army of lawyers ensuring they comply with laws like HIPAA?

          • Katana314@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            4 months ago

            When they’re specifically writing business plans designed for hospitals, sure, they can likely account for it. But not when designing end user services that are laissez-faire about user data privacy - on the random things people put in “My Documents”. As with many organizations, it’s very possible the two parts of the corporation don’t talk to each other.

            • lolcatnip@reddthat.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              4 months ago

              That’s not how it works. Microsoft knows Windows will be used in medical settings. They know “but it’s a product for home users” won’t be an effective defense if they cause a HIPAA violation.

              • Katana314@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                ·
                4 months ago

                They also should “know” that being forceful about backup prompts, AI features, and major version upgrades will irritate users into switching off their OS, and yet they’re doing it anyway. Logic is not driving their actions; greed for data is.

                • lolcatnip@reddthat.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  5
                  ·
                  4 months ago

                  Microsoft makes is money by selling products and services. Your data is not nearly as valuable as you think it is.

      • Katana314@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        4 months ago

        It is feasible to CHOOSE to use OneDrive and take all the proper precautions. We’re talking about home users getting OneDrive data uploaded without their consent through their “push assumed default”, and “giant popup, tiny cancel” setups.

        The article you link only says it’s okay when using a OneDrive business plan together with a signed agreement.

        • biscuitswalrus@aussie.zone
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          4 months ago

          You should be, if you’re in a work computer with privileged documents, controlling it with an appropriate level of care. No matter Linux or Windows. If you’re using home and defaults, you’ve failed no matter what.

          • Katana314@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            edit-2
            4 months ago

            We’re not talking about work computers. We’re talking about patients - end users who have downloaded documents from their doctor.

            These people should not be blamed for using defaults, or for insecure actions happening from their inaction.

            I said home computers multiple times and you again replied about work environments. You need to start paying attention.

            • biscuitswalrus@aussie.zone
              link
              fedilink
              arrow-up
              2
              ·
              4 months ago

              Ah you’re thinking I’m reading your other comments to other people.

              BTW HIPAA is for providers for their patients information handling. Once it’s in the person’s hands, it’s no longer under HIPPA and it no longer applies. If you decide to put your private medical information on a commercial advertisement board on a highway, and it’s not breaking laws to do with acceptable adcertisement (eg gore or smut) you’ll be able to do that to.

              Basically theres no expectation for a individual person to adhere to HIPPA for their own personal information storage and it doesn’t apply.

              My assumption with your lawyer comment, is this was a insurance or otherwise medical malpractice lawyer who might collect this information for their client cases, since without having client/patient requirements, HIPPA is irrelevant.

            • biscuitswalrus@aussie.zone
              link
              fedilink
              arrow-up
              1
              ·
              4 months ago

              The moment a lawyer saves their medical records in a way that unintentionally and without their consent uploads them to OneDrive, they have a pretty solid case to charge Microsoft for a HIPAA violation

              Are we talking about the same comment?

              • Katana314@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                4 months ago

                Lawyers, once they take off the suit and go home to their kids, are end users, not businesses. It would simply be easier for someone to initiate the lawsuit if they have a background in law.