stevedt

I am a participant in a longitudinal study.

Periodically I am asked to answer questions in an online survey that:

  - verifies my info (address, phone, email)
  - verifies my contacts (name, address, phone, email)
  - asks about recent doctor visits, prescriptions, hospitalizations, etc.

The login credentials are:

  - login=email
  - password=date of birth

But it gets worse: you can login to a partially completed survey and information previously entered has been saved.

I know this is terrible from a vanilla compsec standpoint; but isn't this information covered by HIPAA? What can I tell this organization to get them to understand the severity of this?