My surprised face...
posted by Windopaene at 7:31 AM on June 16, 2022 [5 favorites]

I work for a hospital (not one on the list), and HIPAA violations are a nightmare. If one of the hospitals is found to be in violation, then they have to potentially notify everyone affected, the local press, and others.
posted by Spike Glee at 7:57 AM on June 16, 2022 [7 favorites]

One of the perils of being a lawyer (IAAL; IANYL; IANAHealthCareL) on the Internet these days is constantly telling people that the thing they insist is a HIPAA violation (being politely asked to wear a mask) is not, in fact, a HIPAA violation -- nor even a "HIPPA" violation, whatever that is.

It's almost an automatic reaction at this point.

But, um, yeah from TFA this looks like it might actually be a massive HIPAA violation.
posted by The Bellman at 8:04 AM on June 16, 2022 [47 favorites]

Isn't HIPAA kind of a useless law though, in that there are usually no major consequences for breaking it?
posted by medusa at 8:14 AM on June 16, 2022 [1 favorite]

Northwestern Memorial Hospital: “The use of this type of code was vetted and is referenced in NM.org’s Terms and Conditions”

Lol no.

Although that we’ve done fuck all to regulate terms and conditions tomfoolery gives me little hope we’ll actually address data shenanigans.
posted by [insert clever name here] at 8:15 AM on June 16, 2022 [2 favorites]

The Markup also found the Meta Pixel installed inside the password-protected patient portals of seven health systems. On five of those systems’ pages, we documented the pixel sending Facebook data about real patients who volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project is a crowd-sourced undertaking in which anyone can install Mozilla’s Rally browser add-on in order to send The Markup data on the Meta Pixel as it appears on sites that they visit. The data sent to hospitals included the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.

Fuuuuuuuucking hell.

I know I know, there are no individual solutions to collective problems, but...at the individual level are there ways to block this?
posted by medusa at 8:18 AM on June 16, 2022 [7 favorites]

Medusa, I dunno what constitutes usually, but a quick google search found this article which includes examples of violations and fines.
posted by [insert clever name here] at 8:21 AM on June 16, 2022 [1 favorite]

If a HIPAA violation impacts more than 500 individuals, they are legally required to notify the media. Oh man, this could be so bad for these hospitals (I say, with no small amount of glee - because there is literally no reason to have a fucking Facebook pixel on your medical shit). I am hopeful that the law comes down on them for this.
posted by quadrilaterals at 8:22 AM on June 16, 2022 [29 favorites]

surely this
posted by Lawn Beaver at 8:22 AM on June 16, 2022 [4 favorites]

Actually, as I have had care at more than one "yes" hospital system, I may file an ombudsman complaint.
posted by quadrilaterals at 8:23 AM on June 16, 2022 [16 favorites]

I dunno, HIPAA seems to be one of those things that sounds bad but is so erratically enforced that it ends up being meaningless -- like, they'll only nail you with it if they wanted to get you for something else but ran into difficulties. I still suspect everyone talks about how terrifying it is solely to make you think they actually give a shit about it, when it's not, and they don't.

Go for a hearing test, and I guarantee within two weeks you'll be swamped by junk mail for hearing aids (because I've seen this exact thing happen to people on multiple occasions).
posted by aramaic at 8:29 AM on June 16, 2022 [11 favorites]

I help manage my department's website for the hospital where I work (not on this "yes" list, thank goodness) and I can understand how this sort of thing might happen - we are encouraged to be on social media for strategic marketing, and then we want to have that activity reflected on our website, and so we (non-technical employees) install some harmless-looking widget to have our social media posts show up on our department homepage.

That doesn't make it OK, of course. It's just so insidious how these things are embedded everywhere.

I still suspect everyone talks about how terrifying it is solely to make you think they actually give a shit about it, when it's not, and they don't.

Hard disagree. I've had co-workers fired for HIPAA violations. (And I went for a hearing test a year ago and received nothing, but also did not discuss it on social media nor do I have a spy device like Alexa in my home.)
posted by joannemerriam at 8:38 AM on June 16, 2022 [16 favorites]

I used to work in a healthcare-adjacent role where we noticed one day that Facebook had flipped something from 'default-off' to 'default-on' and it was capturing much more data than we were allowing it. We moved *fast* on fixing that, for exactly the reasons above.

In hindsight, I'm glad that concern was warranted, though of course not glad that it became a practical concern.
posted by CrystalDave at 8:41 AM on June 16, 2022 [2 favorites]

→ ... at the individual level are there ways to block this?

I don't know about other browsers, but the Facebook Container extension for Firefox highlights the parts of a page or form that contain Facebook tracking content. These are only loaded (I think) if you click on the tiny gate icon next to the area. You get quite used to seeing the tiny gate at the top left of the page (indicating that some embedded content wanted to load Facebook tracking) but it's still jarring to see it in unexpected places. The other day I had to submit a query to a major courier about a missing delivery. The email address field in the form had the gate next to it, indicating that they'd share anything entered there with Facebook.
posted by scruss at 8:47 AM on June 16, 2022 [16 favorites]

There is a very good goddamned reason I use a web browser that has the Facebook Container add-on installed. Not very many people are that careful or aware of the risk of leaking data. Ugh.

Forwarded this article to my colleague, who happens to be the person responsible for reporting HIPAA violations in our program.
posted by caution live frogs at 8:49 AM on June 16, 2022 [2 favorites]

This is a really excellent article - it's extremely clear in explaining what they found, which hospitals were involved, the limits of their research ("Our investigation was limited to just over 100 hospitals; the data sharing likely affects many more patients and institutions than we identified."), and exactly how they went about researching these breaches.

I am very impressed by the care and thought put into writing this article.

I know Facebook tracking is pervasive and evil, but I had no suspicion that they were actually grabbing medical data - and it sounds like the hospitals involved had no idea, either.

I'll be forwarding this to my legislators - federal and state - and asking them for both oversight investigations and legislation with teeth.

Thank you so much for posting this, CheeseDigestsAll! It's really important research, and (appalling and infuriating, but) good to know about.
posted by kristi at 8:50 AM on June 16, 2022 [14 favorites]

Also: I do not have a Facebook account. I have never had a Facebook account. I am very curious what data they may have on me anyway.
posted by kristi at 8:51 AM on June 16, 2022 [6 favorites]

The Markup does sterling work. So does STAT, but The Markup has the in-house tech talent and a commitment to transparency.
posted by zenzenobia at 9:05 AM on June 16, 2022 [3 favorites]

joeannemerriam, I'd argue the insidious part isn't how "these things are embedded everywhere," rather that strategic marketing is among the top thousand things a healthcare provider thinks they need to be concerned with in the first place.
posted by 7segment at 9:08 AM on June 16, 2022 [16 favorites]

On a base level, what is the justification for having a Meta Pixel on your hospital booking / chart website? Is Facebook paying these systems?

The possibilities I see for these hospitals (specifically, the tech and legal departments, I think) either:
a) knew that Facebook / Meta was collecting data OR
b) knew / suspected that Facebook / Meta was collecting data, but didn't ask enough questions so they could plausibly deny OR
c) did not know enough to ask the right questions OR
d) were lied to by Facebook / Meta.

All of these are a problem.
posted by quadrilaterals at 9:15 AM on June 16, 2022 [7 favorites]

> Also: I do not have a Facebook account. I have never had a Facebook account. I am very curious what data they may have on me anyway.

As much as they do for everyone else, basically. Every person that Facebook's models can impute the existence of has a "shadow profile" where all this data is attached and used to infer information about people connected to you who are on the site.
posted by madhadron at 9:42 AM on June 16, 2022 [3 favorites]

On a base level, what is the justification for having a Meta Pixel on your hospital booking / chart website? Is Facebook paying these systems?

Not directly. It is likely connected to the hospital buying targeted advertising on Facebook, or receiving "analytics" from Facebook.
posted by humbug at 9:46 AM on June 16, 2022 [2 favorites]

Well, this, like the similar Google Analytics, tends to get sold to developers as performance analysis tools. Here's how your customers are coming to your site, here's how long they're spending on your site, here's what they're searching for. Oh. That's maybe HIPAA adjacent? _oops_.

I mean, it seems obvious on the face of it and anyone who has taken the annual HIPAA training should have been raising red flags, but there can be a disconnect between the developers and the actual business entity that's responsible.
posted by Kyol at 9:47 AM on June 16, 2022 [4 favorites]

Whew - just tested the hospital where I've had a crapton of routine tests recently and the hospital that did my knee surgery; one never had the tracker, and the other isn't even on the list (and is linked to the other one).

The hospital where I went to the ER in 1996 for emergency surgery doesn't exist any more, so that takes care of everything.
posted by EmpressCallipygos at 9:51 AM on June 16, 2022

It might also be as simple as the hospital marketing team hiring a company to design the website and deliver analytics on it and then the template being adopted for internal sites without anyone realizing that there are tracking points in place. Or someone wanting to run a facebook campaign to signup for a health screening via facebook and putting the meta pixel in place thinking it was just letting them track the clicks and results.
posted by interogative mood at 9:55 AM on June 16, 2022 [3 favorites]

nor do I have a spy device like Alexa in my home.

Not that it’s that reassuring, but Amazon/Google’s stance on those is basically “oh don’t worry about us mining your audio for data! We have plenty enough to spy on you without that”, in this case I believe them.
posted by Jon Mitchell at 9:57 AM on June 16, 2022 [10 favorites]

Modern web is absurd. Here's our vaguely-secure web site with your personal information on it that works terribly, and also there's third-party tracking code on it that connects to one of the biggest privacy-ignoring data brokers in the world. There are probably more people on that Meta Pixel development team than there are running the entire hospital web site.

You probably don't want to know what happens on the backend, if they're running a modern system. It's just third party code all the way down.
posted by meowzilla at 10:00 AM on June 16, 2022 [4 favorites]

ARGGGGGG

(The Markup is great! I throw them $3 a month, and this reminds me that it is money well-spent.)
posted by rrrrrrrrrt at 10:15 AM on June 16, 2022 [1 favorite]

> Also: I do not have a Facebook account. I have never had a Facebook account. I am very curious what data they may have on me anyway.

As much as they do for everyone else, basically. Every person that Facebook's models can impute the existence of has a "shadow profile" where all this data is attached and used to infer information about people connected to you who are on the site.

Yeah, I've been grumbling an warning people about this for over a decade now, going back to when it was still The Facebook an only accepting *.edu email users and campuses.

In specific I've been really vocal about how this isn't just annoying but a very serious privacy issue and a direct threat to democracy and well, here we are. *waves at raging dumpster fire in the background*

This is why I've been begging people to delete Facebook, block it in every way they can and more, and it's not because of some weird elitist or hipster thing. Yeah, cool, it's the easiest way to stay in touch with friends and family, or you need it for work, etc, but we're collectively tossing privacy and democracy in the dumpster and dragging anyone and everyone else along who doesn't even use FB for that convenience.

It really started for me when Facebook was importing contact lists from sources like gmail accounts and phone contact lists and basically any similar contact list set they could get their hands on. I was on an art and music sort of email list that sometimes got political and I was getting invitations to FB from people I didn't actually know and definitely did not want to be associated with via shadow accounts or inference by absence or any of that bullshit.

It was alarming and frequent enough that I reached out to the EFF and ACLU to see if there was any case or course of action underway or if there was anything going on in that space and the response from them was basically "LOL good luck!" but it's been over ten years since I did that.

For a number of years I was poking the Facebook beehive with a pointy stick and demanding that they delete any data they had for me or my email address, release any data they've collected on me or even outright ban or block my email address or addresses from their servers.

At some point they just straight up blocked and blacklisted me to the point that I can no longer even use their public facing forms to remove accounts associated with my addresses or submit complaints. Depending on what form or support contact I use now it just errors out and/or says the email address is blocked.

I'm honestly surprised if not outright shocked there hasn't been multiple mass or class action lawsuits by this point, but Facebook is apparently doing a really good job of keeping government lobbies really well greased.


Please delete your Facebook. Use the browser container/blocker tools. Block all known Facebook servers in a HOSTS file. I've been beating this drum for years now - Facebook is seriously bad news and is a existential threat to privacy and democracy.
posted by loquacious at 10:15 AM on June 16, 2022 [21 favorites]

So, a hospital that is part of the larger healthcare system I frequent is on the list. Thing is, the organization acts as huge monolith, with no real functional separation between it's various facilities, including hospitals, clinics, and health centers scattered all over central Indiana. I'm willing to bet if that one hospital is on the list, then the entire healthcare system is affected.

Also, by "websites" are they referring to the actual hospital website (i.e. hospital.com)? Or are they also referring to whatever third-party patient portal the system uses.
posted by Thorzdad at 10:46 AM on June 16, 2022

I don't know about other browsers

My quick search indicates that there is SessionBox for Chrome, which I just downloaded. I've been trying to use private browsing for various things, but this looks like it will be much more convenient.


I'd argue the insidious part isn't how "these things are embedded everywhere," rather that strategic marketing is among the top thousand things a healthcare provider thinks they need to be concerned with in the first place

WhyNotBoth.gif
posted by eviemath at 10:47 AM on June 16, 2022 [2 favorites]

joeannemerriam, I'd argue the insidious part isn't how "these things are embedded everywhere," rather that strategic marketing is among the top thousand things a healthcare provider thinks they need to be concerned with in the first place.
posted by 7segment at 11:08 AM on June 16

I thought about saying something about that aspect of things too but was a bit concerned I'd create a derail about M4A.
posted by joannemerriam at 11:21 AM on June 16, 2022

quadrilaterals: "The possibilities I see for these hospitals (specifically, the tech and legal departments, I think) either:
a) knew that Facebook / Meta was collecting data OR
b) knew / suspected that Facebook / Meta was collecting data, but didn't ask enough questions so they could plausibly deny OR
c) did not know enough to ask the right questions OR
d) were lied to by Facebook / Meta."

The possibilities for these hospitals are that healthcare in the U.S. is a for-profit business. Period. Universal healthcare doesn't need to partner with a data-harvesting company.
posted by caution live frogs at 11:31 AM on June 16, 2022

tends to get sold to developers as performance analysis tools

it's cool we live in a society where hospitals have KPIs on how many patients they bring in, what kind of services they provide, and the revenue generated from all the above

definitely a cool normal society where pervasive tracking and marketing of everything you do in a single day is legally permissible, including how to "convert" your sickness into a "lead generation" opportunity for $
posted by paimapi at 11:54 AM on June 16, 2022 [4 favorites]

The singularity will be monetized
posted by interogative mood at 12:13 PM on June 16, 2022 [3 favorites]

As far as I know, EFF's Privacy Badger should block tracking pixels.
posted by Too-Ticky at 1:40 PM on June 16, 2022 [4 favorites]

I was assigned to look into Facebook ads for a health research study. Once I came across the "meta pixel" feature, I knew right away: nope, we can't do that. That would violate our privacy rules.
posted by jb at 1:42 PM on June 16, 2022 [2 favorites]

It is likely connected to the hospital buying targeted advertising on Facebook, or receiving "analytics" from Facebook.

They probably do receive analytics from FB, but -- and I should really spend the 10 minutes checking, but I don't have time right now -- but my assumption is that this is as simple as an AddThis widget or something putting the little line of "Contact Us" social media icons in the footer of every page.

Talking further out of my ass, ISTR FB having rules that if you're going to use their F logo you have to use their embed code, which of course would include the pixel. There was a click-to-reveal extension a while back that blocked loading of the actual code until you clicked on the logo, but I haven't seen it in awhile.
posted by rhizome at 1:51 PM on June 16, 2022

I've known about trackers on sites like this for years because I leave the UBlock Origin button visible and like looking at the results on sites where I don't think ads or tracking should be permissible.

I’ve been concerned about seeing these trackers on sensitive sites like healthcare and realize that I internalized it as relatively benign site analytics as there’s no way they could be stupid enough to allow Google or FB to actually track users in those scenarios. Can’t believe how naive even someone as cynical as me can be.
posted by Ickster at 2:01 PM on June 16, 2022 [6 favorites]

I know someone who works in one of these hospitals. I haven't talked to them about this specific issue yet, but I remember a few months ago them telling me about how they're starting to learn about PHI and HIPAA. It wasn't considered relevant to their job before (administrative/IT), but this specific project required some complicated stuff re: release of information on substance use between different parts of the hospital, so now they're learning about it sort of tangentially through meetings and such.

This indicates to me that people who don't work directly with clients aren't trained in HIPAA regulations as a matter of course. The assumption being that admin/IT/etc. will never be handling PHI, so they have no need to be aware of it. No one thought to consider they're designing systems that do interact with PHI.
posted by brook horse at 3:16 PM on June 16, 2022 [3 favorites]

All these Hippo violations are probably why they kill so many people.
posted by srboisvert at 3:45 PM on June 16, 2022 [10 favorites]

As far as I know, EFF's Privacy Badger should block tracking pixels.

Which not only doesn't actually fix the problem, but shifts the locus of responsibility inappropriately from the companies to end users.

Why can't the EFF go to the mattresses over corporate data collection like they do for government data collection? Because at this point, the former is becoming the bigger problem.
posted by NoxAeternum at 4:01 PM on June 16, 2022 [3 favorites]

A decade ago, Facebook would use geographical proximity to suggest new friend connections. The idea was that, if you frequently go to the same place as someone else, perhaps you know them and should connect with them online. But a side effect was that Facebook would occasionally reveal to you the first and last names of familiar-looking strangers from your therapist’s waiting room. My extremely vague recollection is that this turned into a private-health-information issue and that particular feature disappeared.

The issue reported here, where search terms about medical problems become associated with an individual’s advertising profile, is so much worse.
posted by fantabulous timewaster at 4:34 PM on June 16, 2022 [4 favorites]

As someone who works in IT at a hospital that is not on this list, we are required by legal to take learning courses on HIPAA and it's a big fucking deal if in the process we encounter someone storing patient information in OneDrive instead of on a local server we have set up for that specific.

The people saying HIPAA doesn't have teeth have clearly not been at an institution that has had HIPAA violations. My hospital (Banner) was forced into a consent decree because of a fraud investigation several years ago and according to to my coworkers that's when Legal took risk mitigation from potential HIPAA violations because they made the consent decree look like a walk in the park.
posted by thebotanyofsouls at 6:49 PM on June 16, 2022 [7 favorites]

I've been beating this drum for years now - Facebook is seriously bad news and is a existential threat to privacy and democracy.

Jumping in here to offer you absolute and unconditional agreement on this point before the customary flood of whining about how There Is No Alternative sets in.

I had a viscerally negative reaction to Facebook from the very first time I was ever made aware of it, which happened when I got an invitation to join it that was clearly corporate spamspeak but purported to have come from somebody in my own address book. I was shocked and offended to find that people I knew were uploading their address books, a resource that anybody with any grasp of netiquette had always treated as essentially private, to an organization that their very introduction to was a textbook example of privacy betrayal.

And from that initially unacceptably unethical base they've got monotonically worse year on year. I loathe and despise plenty of people but don't actively hate very many; Zuck, though, is absolutely on the shortlist.

I don't believe Facebook is explicitly tracking my personal activity because I always only ever browse with uBlock Origin and NoScript active, and I recommend the same policy to all.

My other recommendation to everybody who is at all influential within their social circle and has a Facebook account that they could even begin to conceive of getting along without is to delete it immediately and switch to an end-to-end encrypted, non-algorithmically-curated group chat service whose reason for existence is not implementing universal surveillance for commercial gain. Make it clear to those who seek to keep up to date with your doings that they will need to install e.g. Keybase to do that from now on.

Because as things stand right now, it simply doesn't matter what our elected representatives attempt to do to rein Facebook in; it will keep on getting away with doing exactly as it pleases for as long as people keep feeling the need to be on it because it's where everybody else already is. If you can abandon Facebook, I consider it your moral duty to do so.
posted by flabdablet at 6:54 PM on June 16, 2022 [9 favorites]

Well, this, like the similar Google Analytics, tends to get sold to developers as performance analysis tools. Here's how your customers are coming to your site, here's how long they're spending on your site, here's what they're searching for. Oh. That's maybe HIPAA adjacent? _oops_.

The metapixel is supposed to measure effectiveness of advertising spend for people that buy advertising on facebook. You see an ad on facebook, facebook remembers it sent it to you. You later go to a website you saw advertised on facebook, that also has the pixel installed. PING - the pixel phones home to facebook and you're Tracked and the website owner sees that their ad dollars are doing something and the 90% of their users are also fans of the Heinz Baked Beanz or whatever.

I mean, I'm sure it sure it sends a metric buttload of other info, but that's it's official raison d'etre.

I've had to install it a couple of times, but we insist they do a privacy impact assessment beforehand as well as update their privacy policy to accomodate the change, which often scares them off.
posted by Sparx at 8:11 PM on June 16, 2022 [1 favorite]

I've had co-workers fired for HIPAA violations.

This is excellent news, and I am most pleased to hear of it.

...now, was their boss fired (or, in a perfect world, their boss's boss)?

Because if not this was all meaningless. Nail the worker, save the boss who demanded the activity in the first place. Again.

The rot goes to the top, why must the punishments be reserved for the lower ranks?
posted by aramaic at 9:12 PM on June 16, 2022

The title is a little bit misleading here: Facebook isn't violating HIPAA; Facebook isn't a "Covered Entity" under HIPAA (well, they might be with regard to their employees' health insurance data and in some other edge cases, but by and large they are not) so it doesn't come into play on their end. It is the hospitals who are Covered Entities and therefore are the ones at risk.

Everything that Facebook is doing is, broadly speaking, totally legal. Tracking every single thing people do? Building massive dossiers on every man, woman, and child on the planet? Selling that data on to the highest bidder? All pretty much legal, at least at the moment. I'm of the opinion that should change, but it's going to be heavy sledding. They have a lot of money, and one thing that I've learned in the past few years is that it takes remarkably little money to buy yourself a Representative or even a Senator. (The ROI on political contributions is absurdly high, at least in some key industries.)

Anyway, what I find interesting here is that it shows a different avenue of attack on Facebook. If you can't go after them, go after the businesses who are their actual customers. If having Facebook anything on your website can be made into a liability rather than an asset, that could really cause them some pain.

It may be difficult to get privacy-protection and anti-tracking laws at the Federal level, but it might be easier to get regulations, professional standards, and industry regulations changed to make using or feeding data into Facebook's (or Google's, or Amazon's) adtech empire unacceptable. It's sort of a long-game strategy, but seems worthwhile to try and pursue.

Kudos to The Markup for doing all the legwork on the issue.
posted by Kadin2048 at 9:26 PM on June 16, 2022 [5 favorites]

]The singularity will be monetized

/cut to a boardroom, near future, the board is disheveled around the edges: wrinkled shirts, unshaven, lacking sleep. The boardroom itself is devoid of any electronics. The CEO is pacing, manic, exhorting the exhausted board. The CEO speaks:

“We just need to pivot to working with the grey goo, folks. Realign our marketing with the goo in mind. Find out what it wants, and provide it. It’s a whole massive market, totally untapped and growing exponentially! This is a huge opportunity for amazing profits!”
posted by Ghidorah at 10:41 PM on June 16, 2022 [3 favorites]

NoxAeternum:

> As far as I know, EFF's Privacy Badger should block tracking pixels.

Which not only doesn't actually fix the problem, but shifts the locus of responsibility inappropriately from the companies to end users.

You're not wrong, but on a personal level that is not a reason not to use it.

flabdablet: I always only ever browse with uBlock Origin and NoScript active, and I recommend the same policy to all.

I used to like NoScript, but I can't deal with the new version at all; I've replaced it by uMatrix, from the same maker as uBlock Origin, and it seems very good to me.
posted by Too-Ticky at 11:56 PM on June 16, 2022 [5 favorites]

In related news, also from The Markup:

Facebook is collecting ultrasensitive personal data about abortion seekers and enabling anti-abortion organizations to use that data as a tool to target and influence people online, in violation of its own policies and promises. ... A joint investigation by Reveal from The Center for Investigative Reporting and The Markup found that the world’s largest social media platform is already collecting data about people who visit the websites of hundreds of crisis pregnancy centers, which are quasi-health clinics, mostly run by religiously aligned organizations whose mission is to persuade people to choose an option other than abortion.

Using Blacklight, a Markup tool that detects cookies, keyloggers, and other types of user-tracking technology on websites, Reveal analyzed the sites of nearly 2,500 crisis pregnancy centers—with data provided by the University of Georgia—and found that at least 294 shared visitor information with Facebook. In many cases, the information was extremely sensitive—for example, whether a person was considering abortion or looking to get a pregnancy test or emergency contraceptives.

So that's a real thing, too.
posted by Bella Donna at 5:19 AM on June 17, 2022 [13 favorites]

I remember a few months ago them telling me about how they're starting to learn about PHI and HIPAA. It wasn't considered relevant to their job before (administrative/IT)

WTH?

*EVERYONE* at our hospital goes through mandatory PHI/HIPAA. We go through it in orientation. We know about it before we even have our employee badge! Then, it's part of our annual training. New hires must complete all annual training within the first month of hire, so they get a double dose right off the bat.

There is something very, very wrong that that hospital does not make everyone receive such training.
posted by a non mouse, a cow herd at 2:48 PM on June 17, 2022 [5 favorites]

It might have something to do with them being in a contractor position. As we all know that makes all the normal rules of employment go out the window. ¯\_(ツ)_/¯
posted by brook horse at 9:38 AM on June 18, 2022 [3 favorites]