So vending HIV status is a straight up HIPAA violation, I'm fairly sure that's been found to be the case over and over again -- it doesn't matter what your business is, health information is covered by HIPAA.
That's 250k per violation fine, and leaking status positive or negative is a violation. And every person, and every time they pass that information to every "partner" is a distinct violation.
> So vending HIV status is a straight up HIPAA violation
If the vendor is a HIPAA covered entity, which Grindr isn't.
> it doesn't matter what your business is,
Yes, it does.
> health information is covered by HIPAA.
PHI held by HIPAA covered entity or by a business associate on behalf of such an entity, sure. Health information shared by the subject outside of a healthcare context, OTOH...
"The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates."
"The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically."
in what circumstances has HIPAA been found to apply to businesses other than those?
You aren't bound by HIPAA just because a user hands over health related information. You will however fall under it if you are sharing that data with a covered entity..
Grindr isn’t claiming HIPAA compliance, so it doesn’t apply to them. They’re not a healthcare provider (or covered entity), so there’s no requirement for them to obtain HIPAA compliance.
Not in your personal capacity, no. As mentioned in the other comments to this parent, HIPAA only applies to "covered entities" like doctors that take insurance and insurance companies, and their "business associates" that process PHI on their behalf.
That's not even close to the same thing. You're comparing involuntary and unknown sharing of personal data with explicit and self-actioned sharing of that data.
The user volunteers their health information into the public domain when they tell Grindr their HIV status. This is information that is already visible to other users to some degree.
Declaring your HIV status on Grindr is voluntarily and knowingly sharing your own health information into the public domain. It is much closer to tweeting it out than telling a medical professional imo.
Valid point; I hadn't considered it that way. There's still a large difference in audience between the two but ultimately you're surrendering the information to unknown parties.
That's 250k per violation fine, and leaking status positive or negative is a violation. And every person, and every time they pass that information to every "partner" is a distinct violation.