Lawyers define a partnership as a business enterprise entered into for profit which is owned by more than one person {for legal purposes, corporations are considered to be 'persons'}, each of whom is a "partner." So what happens when you do business with a corporation and you find out later that it has a partner and then you learn that the partner has mishandled personal information you shared with the corporation?
This happened to me this month. I discovered that my health care system, SSM Health, had shared my personal and health information with a company called Navvis. A hacker had gotten into Navvis' system and gained access to my information.
I received a “Notice of Security Incident” dated 29 December 2023 from Navvis {They are located at 555 Maryville University Dr. Suite 240; St. Louis, MO 63141} <https://www.navvishealthcare.com/>. The Navvis website says "At Navvis, we work with partners across the health ecosystem to do something radically, unapologetically different. We are reimagining new models of care. Helping providers and payers move collaboratively toward value-based arrangements, and delivering the expertise and technology to power change and ensure alignment. It’s a change agenda where everyone wins." I think it's great when everyone wins, except of course if the winnings are shared with a hacker. And I worry about that "unapologetically" bit. Who wants a partner that doesn't apologize?
The letter refers to a “recent incident” detected by Navvis on July 25, 2023 in which “certain files and information…may have been accessed, or acquired, by an unauthorized actor.” The letter included information about how anyone affected by this “incident” could get one year of free identity protection from a company called IDX ("America's leading provider of breach response services" according to <https://www.idx.us/>).
I contacted Navvis directly by phone and I was told that SSM gave my personal and medical information to Navvis without my knowledge or consent. It was OK, I was told, because Navvis was a “partner” of SSM and that my information was used to improve operations with “a comprehensive value-based care solution,” a term with which I am not familiar. The man I spoke to tried to explain a) why it took 5 months to figure out that they had been hacked and b) what exactly Navvis was doing with my personal information.
From the Navvis website, it appears that Navvis is, in fact, a consulting firm that will help clients “Reach the highest level of performance in risk-based models with a solution that brings together deep knowledge of care delivery, analytics, payment models, culture change, and enabling technologies.” Aren't they wonderful? I wonder what that means in English.
I then called SSM Health Privacy/HIPAA Contact and spoke to a woman there. She also told me that SSM and Navvis were in a partnership. She maintained that SSM had the right to share my personal information with Navvis and SSM had done nothing wrong.
I went to the SSM website and read the SSM Patient Rights and Responsibilities. It says: “You are a key member of your Health Care Team and you have the right to: Privacy and confidentiality regarding your treatment, care and medical record.” Good to know that I am a team player!
Now, before each appointment I have with an SSM healthcare provider, I am asked to sign a “HIPAA Notice of Privacy Practices SSM Health” {Effective Date: July 1, 2015}. I re-read this document and nowhere does it mention Navvis or any other “partnerships” or consultants.
I dug deeper and, after reading about the “Health Insurance Portability and Accountability Act of 1996 (HIPAA)”, I found that I may let providers or health insurance companies know if there is information I do not want to share. I can ask that my health information not be shared with certain people, groups, or companies. <https://www.hhs.gov/hipaa/for-individuals/index.html>.
So I sent SSM a letter, describing what had happened with Navvis and I concluded by asserting my HIPAA rights:
As a “key member” of my “Health Care Team” and in accordance with my rights under HIPAA, I hereby request that none of my personal, medical, or insurance information be shared with Navvis or any other SSM partners or consultants.
We shall see what comes of this.
In the meantime, beware of your team's partners!
No comments:
Post a Comment