By typing it into their search form and sending it to their server, and especially on "social networks" by the further (non-)interaction with the person?
HIPAA rules specifically permit incidental disclosures that accompany a permitted purpose such as relating to safety, patient communication, or health treatment, including payment.
If your doctor has a reasonable reason to Google a patient beyond mere curiosity, HIPPA would allow the search to take place because the revelation of a name is considered a 'minor' disclosure, and was incidental and as minimal as possible.
If HIPPA didn't have such exclusions, merely calling a patient by name in a crowded waiting room would be a violation.
> HIPAA rules specifically permit incidental disclosures that accompany a permitted purpose such as relating to safety, patient communication, or health treatment, including payment.
I think those really are very different cases. For example, telecommunication is protected by other laws. So, yes, a doctor may call you and even speak into their telephone about your medical information, thus effectively transmitting that information to their telco, but then, telecommunication providers are not allowed to listen to calls or use the contents for marketing purposes, or whatever.
> If your doctor has a reasonable reason to Google a patient beyond mere curiosity, HIPPA would allow the search to take place because the revelation of a name is considered a 'minor' disclosure, and was incidental and as minimal as possible.
First of all, it's not just the name being disclosed, it's the link to the doctor that's being disclosed. And the question is: Well, was it minimal? How do you determine that? And was it incidental? What are the criteria?
Imagine a doctor called everyone in their city, asking them if they knew anything about their patient. Not out of curiosity, but because they are trying to get a better understanding of the medical situation of their patient. They are only disclosing the name, so it's a minor disclosure, right? And also, it was just incidental, right? They didn't call to tell everyone who their patient is, they called in order to collect information they thought could help them!
Now, how exactly is that actually different from asking google? The number of humans involved? What if you hired a detective to collect information on your patient? At least, you then could put confidentiality clauses into the contract, instead of giving the information to a company where your use of the service implies accepting some TOS that allow that company to essentially use the information to make money in any way the like!
> If HIPPA didn't have such exclusions, merely calling a patient by name in a crowded waiting room would be a violation.
Well, that doesn't seem like a particularly convincing argument to me. They are physically present and essentially identifiable to the other people in the room anyway, and essentially due to their own decision to go there. So, yeah, there probably is a need for exclusions that allow this, but that example doesn't really help with figuring out where the limits are or should be.
HIPAA exceptions in recent years have focused on both identifying information and medical condition together.
For example, the NCIS exception allowing mental health staff to disclose to NCIS if an individual should not be permitted to own a firearm due to their mental state. That's a revelation of both the name and their medical information.
Or the finance exception, that allows payment processors to know the names of patients without requiring them to have a business agreement with the medical agency and subject themselves to HIPAA rules. They have no access to medical records and aren't sufficiently entangled with the medical practices so it's been ruled that they are except.
Or the media exception, in which you can disclose that a patient is in 'stable' or otherwise condition in the ER if a member of the media calls for them by name. In this case, the media already knew the name, and the disclosure is deemed for the public good.
Now.... sharing a name with Google to receive completely public information about a patient? That's not something that's specifically prohibited or denied. It could be argued that Google had a 'need to know' just to deliver the search result, and as others have argued, Google cannot connect an arbitrary name search to a patient's medical history.
If it were to come up, the deciding factor would be was the search for the patient's benefit? Name disclosures have historically been deemed to be minimal if there's no other information attached, and HIPAA provides wide latitude to doctors to use a patient's name in the ordinary course of business or to further treatment goals by contacting people or organizations not directly related to the patient.
> Well, that doesn't seem like a particularly convincing argument to me.
Keep in mind all of my examples are simply that... examples. They're not arguments into themselves.
Imagine you were a sort of "librarian of world-wide knowledge" that people would call to ask all kinds of questions they had. Imagine there were this one person who asked you a lot of questions about all kinds of mental health problems, and then also quite a lot of names of people, in particular during working hours. Are you telling me you wouldn't possibly get the idea from that that a significant proportion of those people would be their patients?
Or are you saying that as long as there is no absolute certainty, sharing of medical info is perfectly fine? So, there shouldn't really be a problem with a doctor publishing the medical file of a patient in the local newspaper ... after all, how should the reader be certain that it's not just a fake of someone the doctor doesn't even know?
The question of "history" really is secondary here. What's forbidden is not that people you tell information about your patients write it down, what is forbidden is telling them in the first place.
