The PII of the nurses being accidentally shared by a staffing agency isn't a HIPAA violation. Yes the nurses are providers but their relationship with the Uber for nurses service isn't a medical provider relationship. It's definitely a legal and ethical failing but I don't think it's a HIPAA one.
This is what I took away from the reading. It's basically a shift/employee management platform. The only reason we're even discussing HIPAA is because health care industry adjacent.
If you replaced nurses with gig workers and uber for nurses with something like WeWork this would just be like every other leak we talk about on HN.
>I also saw what appeared to be medical documents uploaded to the app. These files were potentially uploaded as proof for why individual nurses missed shifts or took sick leave. These medical documents included medical reports containing information of diagnosis, prescriptions, or treatments that could potentially fall under the ambit of HIPAA regulations.
The title is exaggerating what the article says and the article is making a big stretch about this being possibly HIPAA covered, I stand corrected, this has nothing to do with HIPAA.
What was leaked was nurses' doctors notes submitted justifying calling out of work. Still a serious leak but nowhere near what is being suggested.
HIPAA avoidance is much narrower than that. Entities which perform administrative or managerial duties on behalf of a mandated organization that have to transmit PII to provide that service are also covered, even if the entity itself isn't a provider.
If 'Uber for nurses' is acting on behalf of nurses, it probably doesn't apply? If it's acting on behalf of the hospitals (who are indisputably covered entities), then the situation is much less clear.
I encountered a similar situation with my startup many years ago and decided "better safe than sorry" after consulting the lawyer.
I used to work in the field. HIPAA protects patient data, not provider data. If my understanding is correct that only nurse PII was leaked, this has nothing to do with HIPAA.
In general, I've found that people tend to think HIPAA applies much, much more than it actually does. Like people thinking if you're in a meeting at work with clients and say "Sorry, Bob couldn't be here today, he's got the flu" that that's a HIPAA violation. No, it's not.
This is just an employee data leak, just like a bajillion other employee data leaks. The fact that the employees happen to be nurses still doesn't mean it has anything to do with HIPAA.
ESHYFT isn't a covered entity, so HIPAA doesn't apply to them. Even if they have health data of their employees in their system, they're still not a covered entity.
Really, "Uber for Nurses" is a title to drum up interest. "Large Staffing Service" would be factually accurate.
