I'm a retired software developer that's worked in just about every healthcare-adjacent industry segment you can imagine with HIPAA compliance being an evergreen issue. I know how this sausage gets made on the back end and let me tell you regardless of what impression has been made to you about compliance and safeguards the reality behind the scenes is always messy. Hundreds of gigs of unanonymized user data lying around on developer machines, getting tossed out accidentally during equipment rollouts, leaky API implementations, half-assed compliance testing, lack of meaningful continuous oversight, vendor services with varying levels of compliance hot-glued together on the back end, outright theft of data, this list is incomplete. I'd recommend a weapons-grade dose of skepticism over any claims of meaningful data privacy as the last 30 years have consistently and comprehensively shown that anything that gets digitized eventually gets outed if there's a financial motivation to do so.

Yes, I do believe what you're telling me—the state of healthcare tech is definitely leagues behind general consumer tech. However, I do think this is a meaningfully different class of issue when it comes to patients' perceptions and actual harms. Patients are afraid of having their health data used against them. For example, revealing medical conditions to potential employers, revealing health information to friends/family, etc. There's a growing mistrust of healthcare institutions in recent years, and there are unfounded accusations of healthcare institutions selling data for financial gain like social media companies and even the DMV (https://www.caranddriver.com/features/a32035408/dmv-selling-...). This class of nefarious patient data privacy/security negligence effectively doesn't happen. I've treated patients who are illegal US immigrants, I see patients who use and possess illegal drugs while in the hospital, but they're not reported to anyone. They're simply treated and discharged. Unfortunately, a growing number of patients don't believe this is the case, and we see substantial disparities in levels of care provided to these patients who fear healthcare.

I'm not at all dismissing how terrible it is that healthcare tech companies can be lax with patient data. This absolutely needs to be better! But at the same time, this sounds more like incompetence than active malice. Practically speaking, a patient is extremely unlikely to experience actual harm because a developer accidentally took patient data home on a personal laptop. Although, I would love to hear more about what kinds of violations you've seen in your time in health tech? I work with third party vendors from a healthcare institution, and I absolutely want to figure out how to fix this.

With stuff like illegal drugs, so long as records are retained by the hospital, what prevents the feds from coming in later with a warrant to go through them?

HIPAA trumps the warrant. HIPAA is serious when it says patient data can only be shared for treatment, payment, and hospital operations purposes. Law enforcement is not an allowable reason to disclose patient information without their permission.

In the US a mere warrant is not enough to pierce doctor patient privilege, afaik. At least i would hope it would take a subpoena or a court order or something of the ilk.

Now, though, if a third party accidentally leaks your patient info, or lead pipes are involved

I don’t usually comment on these posts, but as a HIPAA compliance practitioner working with covered entities (also business associates) I have to take a contrarian view of HIPAA compliance efforts by providers. HIPAA is mostly a “check the box” type of compliance effort, as opposed to building a “culture of compliance.” Most compliance efforts stop at the technology barrier. For business associates, the compliance dynamic is even worse. While the larger BA’s do generally comply, because their focus is generally on the technology, for midsized and smaller BA’s , in most cases know the CE will take at face value that the BA is compliance. But there is a reason about 30% (by number) of all breached are caused by BA’s

Sure, next time I find one of the forms I'll snag it for you. It was rather eye catching because it explicitly stated "You're allowing us to share data with third parties and service providers that are not HIPPA compliant." How do I get it to you?

I wasn't claiming that MyCharts isn't HIPPA compliant: I was complaining as part of a MyCharts workflow I was presented with a form that wanted me to grant someone the right to send my data to non-compliant organizations, and as I said above explicitly stated so.

My email is in my profile page. And if you have truly found that the institution is sharing protected health information (e.g., even just names and date of birth) with third parties who have not signed BAAs, that is a lawsuit worth tens of millions plus government fines of $50,000 per piece of compromised data per patient. I highly suspect that there's some misunderstanding or miscommunication here.

The annual HIPAA training I was subjected to for nearly a decade on the EMR provider side of things never brought up these scenarios, but the Privacy Rule does have carve-outs that allow PHI to be transmitted to entities that would not be considered Business Associates, if the patient consents.