Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers. HIPAA is designed to make it maximally difficult to move PHI from one provider to the next. HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers. HIPAA is a stepping-stone to single-payer insurance.
HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care. No entity under HIPAA can legally divulge the slightest tidbit to your brother, your parents, or anyone who contacts them, unless an ROI is on file. Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
> HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers.
No? I can practically quote the law directly here, though it is a bit dense:
> A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.
I.e., the privacy of your, the patient's PHI is protected.
That's a privacy regulation, and it is talking about and protecting the privacy of patient data, not provider's, etc.
> HIPAA is designed to make it maximally difficult to move PHI from one provider to the next.
It does no such thing. But [1].
> HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers.
Plaintiffs can divulge their own PHI directly to lawyers. Otherwise, no, lawyers don't get to access random people's PHI … but that's directly because the privacy of that PHI is protected. Further, one of the exceptions to HIPAA's protections is judicial order … so if plaintiffs can get a judge to agree, they can get a limited window into people's PHI. But … no, they don't just get to see?
> HIPAA is a stepping-stone to single-payer insurance.
… clearly not, or where is it?
> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.
People: you're always permitted to divulge whatever you want, to whomever you want, about your own PHI. But no, a doctor cannot divulge PHI to, e.g., an adult's parents without authorization. Again, this is to protect the patient's privacy: for example, so that a woman can keep something medically private from her husband if she chooses, or an (adult) patient can not have nosy parents learning things that are not their business, etc.
(Parents/guardians of non-adult children are treated differently, of course. There are other exceptions, and exceptions to the exceptions, but generally, they follow pretty common sense lines.)
Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.
And … you know this:
> unless an ROI is on file.
(An ROI is a "release of information", for others.) Yes, if you consent, then your PHI can be divulged. This is like the very definition of patient privacy.
> Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
This isn't true, either; I've had providers ask for ROIs, and nothing prevents a provider from taking initiative. (Perhaps you need a better provider.) Yes, to a large extent, you must own your own outcome in American healthcare, but I think this is more a function of other failing in HC than HIPAA.
Also, … yes, ROIs are scoped: they're only good for a specific instance of releasing information, i.e., they're not carte blanche to the provider to release your information to the world. Again, that's a privacy protection.
In the specific case covered by TFA, upstream is right: it is unfortunate that marketplaces might not be covered entities, and probably should be. This would be a common sense update to the law, so call your congressperson. Were they, HIPAA prohibits what occurred here, and other covered entities have been fined for exactly this type of error/behavior. I.e., HIPAA has prior examples of preventing exactly the badness here!
[1] I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent. I'd say this is more a function of providers not adhering to standards like they ought to; I've seen precious little use of FHIR (for others: standardized format for HC data) in my time in the industry, and the state of tech for inter-provider transfers is such that most providers probably do find it easier to just recollect the data they need. Heck, even within a provider, I've witnessed struggles to transfer data.
Not even, it specifically allows providers who are actively caring for you to share, even without your consent. Straight from the horse's mouth:
"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."
Source: https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...
> I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent.
It doesn't even really always require consent, but a provider relationship. Consent can grease the wheels though.
It's like you said, very little use of FHIR or still so so much HL7. And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.
And yeah, lots of HL7v2. (for readers: HL7v2 is a protocol for medical data sharing. Predates FHIR, and is muuuuch uglier. FHIR is JSON/HTTP, albeit complicated, because medical. HL7v2 is custom binary (or I think there's an XML variant that I pray I never run into?). Not to be confused with the organization HL7.
HL7v2 is also the reason for a lot of having to deal with IPSec tunnels, something else I could stand to never see again.)
> And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.
Yep. Some unintentional (the standard is complex, people make mistakes), some intentional (the standard permits extension, and obviously custom extensions might not port).
And that's like every other standard an eng on HN is going to interact with, really.
> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.
If I am a provider (and I am, or have been) of yours, I can get information from other providers on the care they've provided you. In fact, as appropriate, I can get it without your permission or consent (particularly useful in situations of pill-seeking, or mental health, but other situations too, that I encountered as a paramedic).
While many providers will get you to sign paperwork consenting to this, it is mostly CYA.
https://calmatters.org/health/2025/05/covered-california-lin...
However, California has its own more general privacy law about using medical information for marketing purposes.
If you filled out the same form just to keep in your desk drawer for your family’s reference, it would not be. Also, if you ask for a copy of your record, as soon as you take personal possession of it, HIPAA no longer cares about it, because you aren’t a covered entity.
(Source: I founded a startup that spent a lot of money on attorneys to confirm this.)
It’s a pattern we’ve seen across government and private sectors: infrastructure designed for care is being exploited for behavioral targeting through advertising motions. The public doesn’t expect their health decisions to be fed into social ad networks, but the platforms already assume ownership of that data trail.
And of course, it’s all connected. The same companies monetizing behavioral profiling at scale are now running the most powerful generative AI systems. Microsoft, which owns LinkedIn, is also the key infrastructure partner of OpenAI. Meta's ad tools were present on these health sites too. Google’s trackers are everywhere else.
When you strip away the techno-mystique, what’s driving the AI and data arms race isn’t wisdom. It’s ego, power consolidation, and a pathological fear of being second.
And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
They use your information for political warfare.
Of course, new techniques are invented all the time, so that may not cover everything.
Federated Learning of Cohorts (FLOC) proved that cookies aren't actually necessary to track you with 98%+ precision, which, given how the internet works, is just 2 clicks.
The only way to stay anonymous is to stay on the radar. Sandbox your browser, have multiple physical-on-the-filesystem profiles and never mix business with pleasure or banking with youtube.
If you use Linux, create a Windows 11 VM to browse anonymously. Because Linux makes you already stick out as a sore thumb due to its TCP fingerprint.
If you do that, at least change GPU name to NVIDIA or something.
Your information then can be freely shared with others but not given to you or give you any way to correct the false information in your record.
For what it's worth, in the United States at least, you have several permanent records that follow you everywhere you go. Your medical records work in a similar way to your former employers. In fact, employer confidentiality to other employers allows them to say almost anything about you and neither has to share it with you and you have no chance to have any kind of fair process to correct it.
Now add all the data brokers and the other bribery kind of situations and the whole system is basically broken and corrupt.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials...
https://www.hhs.gov/hipaa/for-professionals/compliance-enfor...
Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient's medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).The devil is in the details.
It is not misinformation. Thank you.
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance...
Several others listed here: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-...
Covered California's privacy policy explicitly says they follow HIPAA and that "Covered California will only share your personal information with government agencies, qualified health plans or contractors which help to fulfill a required Exchange function" and "your personal information is only used by or disclosed to those authorized to receive or view it" and "We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Policy".
Those privacy policy assertions have been in place since at least October 2020, per the Internet Archive wayback machine record. [2]
[1] https://www.coveredca.com/pdfs/privacy/CC_Privacy_Policy.pdf
[2] https://web.archive.org/web/20201024150356/https://www.cover...
Being really clear, I despise this whole situation. But there's a lot of contortion to get to a government healthcare marketplace being consider a healthcare provider, which has a definition in the law.
>The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined.
Why is Covered California such an outlier? Why do they need 60 trackers? It's an independent agency that only deals in health insurance, so they obviously (and horribly) thought it was a good idea to send data about residents' health insurance to a third party.
It's an optional follow-on procedure for the dental surgery procedure I had scheduled for this week.
I'm much more careful than most people about keeping Web search and browsing history private. But there's a chance that last week I browsed some question about the scheduled procedure, from my less-private Web browser, rather than from the Tor Browser that I usually use for anything sensitive that doesn't require identifying myself.
If I didn't make a Web OPSEC oops, it looks like maybe someone effectively gave private medical information to LinkedIn, of all places (an employment-matchmaking service, where employers are supposed to be conscientious of EEOC and similar concerns).
Thankfully, those the law is not based on such thresholds.
Get your act together and either resign or stop handling public data let alone the sensitive stuff. I'm serious, draft that letter now.
"Leak" is not the right term. By default a "website" is a 404. Throw some HTML on there and users can see something. Adding LinkedIn tracking is a deliberate choice. Calling the data "leaked" is like saying a raft sprung a "leak" when the person in the raft punctured it 60 times (number of trackers). The data was shared and pushed to LI, on purpose. They (Covered CA) installed LinkedIn's code on their site. The code did exactly what it was intended to do, send data to LinkedIn.
A leak is accidental, this was a choice by Covered CA.
oaththrowaway•8mo ago
timfsu•8mo ago
kva-gad-fly•8mo ago
Does this also mean that those pious popups about "Do not sell my information" are essentially vacuous?
cryptonector•8mo ago