Hacker News new | past | comments | ask | show | jobs | submit login
Why do shared hospital rooms not violate HIPAA? (law.stackexchange.com)
163 points by oatmeal1 on Aug 30, 2023 | hide | past | favorite | 134 comments



It's easier to make sense of when you remember the original purpose of HIPAA, which was cost control and portability (that's what the 'p' stands for!).

The confidentiality rules in HIPAA are part of (IIRC, I think, etc?) the "Administrative Simplification" section, which was about standardizing electronic health care records and making them available to the government for combating Medicare fraud. The law wasn't a sweeping medical privacy bill; it added privacy rules to mitigate concerns people had about centralizing medical records as part of its major purpose.


Which sucks because there is tremendous value in anonymized collections of health records, yet we can’t use these health records for research at all. I realize it was out of scope for the bill, but damned if it didn’t stymie medical research to a ridiculous degree.


Anonymization is hard. Unless you have very accomplished cryptographers defining and implementing anonymization, I do not trust it. That basically means not trusting anyone but large governments and FAANG companies.

That said I do think agencies like NIST should define anonymization standards.


> Anonymization is hard. Unless you have very accomplished cryptographers defining and implementing anonymization, I do not trust it. That basically means not trusting anyone but large governments and FAANG companies.

Huh that is pretty solid point, so anonymization is useless to those who are the most interested in privacy?


no its useless to people with several distinct data points

turns out that in this regard, everyone is special


And medical issues are such that even fully anonymous you can probably identify who is whom.


Latanya Sweeney demonstrated how hard it is to anonymize health data back in the late 1990s as part of her dissertation work:

https://arstechnica.com/tech-policy/2009/09/your-secrets-liv...

"At the time GIC released the data, William Weld, then Governor of Massachusetts, assured the public that GIC had protected patient privacy by deleting identifiers. In response, then-graduate student Sweeney started hunting for the Governor’s hospital records in the GIC data. She knew that Governor Weld resided in Cambridge, Massachusetts, a city of 54,000 residents and seven ZIP codes. For twenty dollars, she purchased the complete voter rolls from the city of Cambridge, a database containing, among other things, the name, address, ZIP code, birth date, and sex of every voter. By combining this data with the GIC records, Sweeney found Governor Weld with ease. Only six people in Cambridge shared his birth date, only three of them men, and of them, only he lived in his ZIP code. In a theatrical flourish, Dr. Sweeney sent the Governor’s health records (which included diagnoses and prescriptions) to his office."

This same article also mentions one of her more famous findings too: "in 2000, she showed that 87 percent of all Americans could be uniquely identified using only three bits of information: ZIP code, birthdate, and sex."


Yep. I've used that example in presentations. If you really want to de-anonymize a medical record, it's pretty easy to do so on the basis of other data which is arguably public for good reasons (and/or as a matter of law).


Even if you remove all location and date information from a medical record, you can likely work out quite a bit of information (certain procedures occur at certain times, etc).

And at that point you’re starting to destroy the value of the data.


I’m sorry but I don’t buy that. From a practical stand point, what am I going to do if you hand me a sex, birthdate and zip code and tell me to find who owns them? I would have to talk to every person in that zip code who matched the sex (have to account for the possibility two people have the same birthday). At that point, I’m getting better records pounding the streets than I am from some database.


Knowing gender cuts down your sample space by half.

Assuming you are looking at someone between the ages of 1-80, knowing birthdate further filters in just 1÷(80 * 365) of the sample space.

Since they're 42000 ZIP codes in the US, knowing the ZIP code lets you filter in just 1÷42000 of the sample space. Together, 1÷2 x 1÷(80*365) x 1÷42000 = 0.00000041%

With these three datapoints, you can identify roughly 1.3 US persons (assuming a US population of 330M). Not too bad, imho.


Only if age, birthdate, and zip codes are uniformly distributed among the population.

Which they aren’t. At all.


Here's what I found for birthdates - https://www.panix.com/~murphy/bday.html. The variation between dates doesn't seem all that bad. So, for all practical purposes, we can assume that births across dates is uniform.

Given this, the only real issue is ZIP codes. If we assume that we know nothing about how populations are distributed across ZIP codes, given just the gender and date of birth, we can narrow down the cohort to just 5650 US persons (330M x 1/2 x 1/(80x365)).

According to this link - https://www.johndcook.com/blog/2019/08/21/zip-code-populatio... - 80% of the US population lives in 27% of her ZIP codes.

Assuming your target individual is in the 80%, given the gender, birthdate, and ZIP code, you can narrow down to the following - 0.8x330M x 1/2 x 1/(80x365) x 1/(0.27x42000) = 0.4 US persons per ZIP code.

Basically, these three data points can almost certainly uniquely identify specific individuals - the only remaining thing is to connect a name/phone number to each individual.


Obviously the data is not really anonymized.

Im just nitpicking your weirdly precise results of your fermi math. It would be easier to grab this from the census data, right? 40 year old males with a given birthdate, no zip code, narrows to ~7,154.


A key insight from anonymization is that you need to consider how easy it is to join that dataset together with some other freely available or cheaply available datasets. GP said the person spent $20 buying voter information. A moderate to big company will even prevent employees from joining data sets from different departments of the company, as a matter of policy.


> That basically means not trusting anyone but large governments and FAANG companies.

that basically means not trusting… anyone?


I worked with de-identification of records - it was not only difficult, but also rewarding. The records were used in research, tied to other biomedical data.

Some of it was simply migration of encounter data +/- a date range, with removal of the obvious stuff, too.

Other was cool like NLP on doc notes to ensure stuff like “pt said the school shooting they got this wound from was..” (think: cohort sizes for major incidents are often small and therefore easy to re-id.)


This is just incorrect. I've collaborated in studies using anonymized MRI scans and health data.

You don't get a blank check, but there are plenty of studies doing exactly this.


Anonymised collections of health records are available to bona fide researchers.


The point is that "anonymized" data is frequently relatively straightforward to de-anomymize at least on a statistical basis.


That doesn’t make what I said any less true. Anonymised datasets have been available to researchers for decades.


Retracted


The P in HIPAA stands for Portability, not Privacy. The primary purpose of HIPAA is not to prevent the sharing of confidential patient data, it is to ENABLE the sharing of confidential patient data with anyone who has the right to see it. The issue is the number of entities who claim that they have right to see the data, and the lack of a mechanism for the individual to prevent their information from being shared.

Should Facebook have a right to access your health data? Your opinion does not matter, they wanted it, and they got it. What about the US Department of Transportation? They maintain the right to access the electronic medical records of any person who falls under their regulation, such as pilots and truck drivers. They have been know to go on fishing expeditions trolling through medical records in search of violations. Search for Operation Safe Pilot. I know several people who have either avoided medical treatment because of this issue, or obtained treatment in a foreign country.


I work in healthcare; these views are my own, and IANAL.

> The P in HIPAA stands for Portability, not Privacy.

… sure, that P stands for that. But one of the key sections is literally called the Privacy Rule: "The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information"

> Should Facebook have a right to access your health data? Your opinion does not matter, they wanted it, and they got it.

No. Wantonly sharing PHI with Facebook would almost certainly be a violation of HIPAA … and literally, it's already happened, this year even[1]: "The office warned that entities covered by HIPAA aren’t allowed to wantonly disclose HIPAA-protected data to vendors or use tracking technology" ("Vendors" here included Facebook and the like.) ¹

Now, HIPAA only applies to covered entities. In the context of the OP however, a hospital is a covered entity. Whether eavesdropping is permissible is a good question.

[1]: https://www.politico.com/news/2023/04/17/health-industry-dat...

¹I think regulatory agencies across the board have been giving pittances for fines, and these are no exception. There's a real question as to whether enforcement is actually meaningful, but that's separate question from whether there is a right.


It's only "key" in the sense that it's the part technologists and people building PHI-encumbered products have to care about. It's not a key section in the bill itself; in fact, I don't even think it's a key part of the section of the bill it's in (which, I think, is about Medicare fraud).


Okay … sure. "Key" if you're like me, and working in healthtech, I suppose, as it's one of the sections they repeatedly try to cram into your head in the mandatory training sessions. (…and for good reason.) In the intersection of Facebook and PHI.


Let's put it this way: something being a key part of a particular solution implementation, does not necessarily imply that it was a key part of the solution's design; nor that it was a key part of the problem domain.

Compare/contrast: there's one ability a Pokemon can have, that just by existing, means that the games' battle-system logic has to be re-entrant, because the ability evaluates a hypothetical battle "within" the current battle in order to determine what it does. Insofar as you're being asked to code the Pokemon battle system, the existence of that ability is very important to you; but it's nevertheless not a key aspect of the game's design — the game would be the same game without it. :)


Y'all are nit picking a single word in my comment whose removal doesn't affect the comment in any way. Key to the point, key in this circumstance, etc.


I understand what you mean. And for technologists, it's more than "key", it's like, the only thing in HIPAA. My point is just, however important that section to us, it's not remotely the point of HIPAA itself; it's not even really the point of the confidentiality rulemaking.


They have been know to go on fishing expeditions trolling through medical records in search of violations. Search for Operation Safe Pilot. I know several people who have either avoided medical treatment because of this issue, or obtained treatment in a foreign country.

I searched for Operation Safe Pilot, and it looks like they matched up aviation medical clearances with social security disability claims, not with general medical records. If you're claiming for a disability, there's something seriously wrong and you shouldn't be flying, or you're lying about the disability and committing social security fraud. Am I missing anything?


Car dealership customers are always worried about their data. And rightfully so.

The typical car salesman has 15 credit applications in his desk, 5 in his car in some folders he forgot about, 1 in the trash can he accidentally crinkled up instead of putting in the shred box. The managers office is even worse. The finance guys office is even worse. The 'business office' is half decent because the GM/owner is up there often.

On a side note, my friend subleased an office from a medical nurse temp agency/employment agency.

When he arrived (I helped him move in), there were thousands of unsecured files with people's socials and all info needed to get a job in file cabinets.

The office had cleaning service every night from a random cleaning company.


Speaking of that, hospitals still use tons of POCSAG (pagers) and splatter medical everything over those. Course it's illegal to listen due to a bullshit 1987 law... but trivial to do so with a RTL-SDR.

One idea my nefarious side had was to get the med records of individuals and get the address's house cost, and send scary calls/text/messages shaking relatives down with scare-calls. (Or, get the info and get in league with overseas scammers who masquerade as the hospital, and take a cut from that. Would be relatively risky free.)

Obviously I wouldn't do that. But it would be trivial to do.

(Long story short, pager infrastructure needs destroyed.)


I've had a career in hospital IT and operations. The challenge is finding a replacement that is as reliable and accessible as a pager. The replacement communications products out there have some nice features (managing on-call scheduling, interfacing with electronic health records, etc), but it only takes a handful of outages to get everyone to switch back to pagers "just in case."


Well, I was being rather absolutist when I said to destroy pager infra.

It should be messages like "Code red to room xyz with patientID #####"

That would remove anything really actionable.

Whereas I was seeing over FLEX: full name, address, room#, child abuser status, why they're there, medicines. It was fucking stupid, like fuck no.


I'm sure Oracle nee Cerner would develop Pager Millennium if you asked nicely enough.


Similarly, it really irks me how little privacy there is at the chemist/pharmacist/drugstore (listing all synonyms for an international audience).

If I have any questions, they're at the counter with 20 other patrons hearing everything about my medication. Then I take my medication to a separate counter for payment, which is staffed, usually, by a teenager working part-time. Great, now they know what medication I'm on.

Imagine if I were picking up medication for a teenage son or daughter, and the teenager at the counter went to school with them?


At my local Walgreens they're pretty strict about this- they make people stand about 10ft back from the window while waiting. I have seen them ask people to move back if they start encroaching.


My friend spent the night in the hospital recently, for observation.

She didn't sleep a wink. With all the beeping and alarms and periodic checks and procedures. Mostly involving her roommate.

The next morning she was mentally and physically wrecked. the first thing she told the nurse was, "I want to go home so I can get some sleep.

The nurse laughs and replies, "I hear that all the time. Nobody ever sleeps here".

Now that's messed up. Sleep is the great healer. No sleep is the great destroyer. Is this intentional or institutional insanity or what?

I mean why don't they just put strychnine in the water supply while they're at it?


I was in the hospital for about two weeks at the beginning of 2022. It was awful. The nurse would come in for evening meds and checks around 10-11 PM. When I was lucky enough to have neighbors who weren't trying to die all night it was usually relatively quiet from midnight to 4 AM. Then things would start to pick up. Phlebotomists making rounds to draw blood before 5 AM. Morning meds between 5-6 AM. Nursing shift change at 7 AM. Doctors doing rounds mid morning. Breakfast mixed in there somewhere. Of course I couldn't actually _do_ anything all day except try to read or play around on my phone, so I spent a lot of time dozing.

I wasn't so lucky for the first week of my stay. I was on IV meds that pushed my BP up significantly, to the point where every time the automatic hourly BP reading was taken it would set off alarms. During the day the charge nurse would usually silence the alarm (from the nursing station) immediately but at night they were understaffed (this was during a covid wave) and the nursing station often wasn't manned. So sometimes the alarm would sound for 20+ minutes. Every hour... all night... Eventually I found a sympathetic nurse who actually knew how to adjust the settings on the machine and disabled the alarm entirely.

At least I didn't have to share a room. That would have been misery.


An overnight stay is for observation not comfort. The hospital wants to gather as many metrics as possible to keep you alive, respond ASAP to issues and dis-chargable to free up room for other sick patients. not give you a hotel bed.


Go to the hospital healthy, come out sick.

I don't have a medical degree or anything but that's crazy.

(Also, the nurse said nobody sleeps here. Not just the people under observation.)


> Go to the hospital healthy, come out sick.

This isn't whats happening. Being sleep deprived for a day is annoying, but hardly a health issue. I bet most people would rather have doctors respond to you suddenly dropping blood O2 levels to under 90% than not.

> (Also, the nurse said nobody sleeps here. Not just the people under observation.)

Yes, nobody sleeps because nurses and doctors are all working >14 hour shifts with on-call rotations trying to keep people ALIVE. I have many medical professionals in my family, all of them are rest deprived, trying to keep track of the myriad of patients all demanding personal constant attention.


> I have many medical professionals in my family, all of them are rest deprived, trying to keep track of the myriad of patients all demanding personal constant attention.

That is not exactly defense of medical system. If it keeps workers sleep deprived they will make mistakes. This just means system itself sux.


Actually, sleep deprivation, even for one night, is definitely a health issue. And the only reason it's accepted is because it's so common. It's the modern equivalent of drinking out of lead cups.

(And of course a sleep-deprived medical professional is a health hazard to everybody involved. Only a fool thinks otherwise.)


Sleep deprivation is not as dangerous as dying from an acute condition. If you're in the hospital for one night, you're being treated by doctors who want to make sure you're not going to die for the night. If you get admitted for a longer period, it's a different environment altogether. At least this has been my experience.

You get used to the beeping after one night anyway. If not, you can ask the nurse for earplugs or even sleeping pills (although sleeping pills are harder to get).


Then leave. They're not forcing you to stay. Generally no one puts you on observation unless you need it, and by "need it", it means "needs to be disturbed to take tests"

If you think sleep is a higher health factor than the reasons that the hospital want to put you under observation, then just refuse treatment.

If you don't want to be disturbed by patients in the same room, you can pay for that.


Why are you staying overnight in a hospital if you're healthy? The few times I've stayed overnight in a hospital, it was for surgical recovery and I definitely slept. I was on so many painkillers, I barely remember the experience. My wife did a four-day stint in the ICU when her liver failed years back, and from what I remember, she was barely conscious the first few days. I don't know if I'd call either of those experiences comfortable, but she's alive and I now have a working spine, and neither of those would have been true otherwise. So thanks hospitals.


Ricky Gervais had a line that stuck with me back on the podcast with Steve Merchant and Karl Pilkington - `How do people sleep in hospital? They'll wake you up to give a sleeping pill`


The beeping and alarms and periodic checks and procedures are there to prevent worse things than a night's worth of lost sleep.


Yeah I get the obvious theory. But it's like putting a tourniquet around your neck to stop a nosebleed.


No its not. One bad night of sleep won't kill you. You are more than welcome to reject an overnight stay.


Likewise, l hospitals serve food portioned nutritionally for a healthy adult when people who are sick or healing from injury may very well need more calories and protein to fuel their bodies healing.


The last time I was in the hospital (2022) the portions weren't terrible, the main problem was that the food was so damned bland. The first few days it doesn't seem like it's that bad, but by the time you've been eating it a week you just lose your appetite because the food is so unappealing. Not to mention that if you have a test or procedure at the wrong time and miss placing your order (IIRC they stopped taking orders at like 4 PM) you're going to get whatever the cafeteria feels like sending you and it will have been sitting at the nurses station for hours. Yummy.


From the HHS.gov website:

The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.



I mean, they usually have a little curtain - I suppose that counts as reasonable.


How does HIPAA compare to FERPA?

My understanding is that FERPA is similar to HIPAA, except for college scores and enrollment information instead of medical records.

But there’s a rule in FERPA where you explicitly can’t leave a stack of exams and let students pick them, because it exposes students to others’ scores. Another rule is that you can’t associate a students exam with their student ID even if it’s a sequence of numbers, because the id is public information, but you wouldn’t expect someone to remember someone else’s id.

(I specifically remember some professors not following the exam rule, probably because they didn’t know or perhaps it didn’t exist yet. I don’t know if anything happened to them but I suspect if anything, they were simply asked to not do that in the future.)


> because the id is public information, but you wouldn’t expect someone to remember someone else’s id.

In my college people definitely remembered other people's IDs, since all you needed to badge into any door they had access to was to write their ID and a 00+(number of replacement badges) to the data track on a swipe card. This gave access to even dorms. This even worked for faculty or Deans who had full access to all academic and athletic facilities.

Clearly nobody would ever know anybody else's public ID, because that would take just going into a study session and looking at the sign in sheet of hundreds of them sitting in the back of the classroom. Or looking at the log of swipes of an event that a dean attended.


I recently learnt on HN that some countries don't publish grades to ALL students at once and still can't think why. It's such an amazing gift to be able to see how much everyone got and the academic competition in its most pure form, while removing some awkwardness of getting results of your work (good or bad) early in your life.

People are too focused on hiding results because someone might feel bad.


While things like FERPA broadly protect most student information in the US, it doesn't exist so that people don't feel bad about their test scores. It limits schools and their staff to using student data for legitimate academic purposes and prohibits other uses that could be bad. That data goes beyond just test scores and could be things related to the students health, social life, behavior, etc. This kind of data doesn't need to shared with anyone that doesn't need to know it.


Most classes. publish grade distributions, so you know if you were in the top or bottom 10%. Or at least the mean, median, highest, and lowest.

But you don’t get the grades of individuals.


> you explicitly can’t leave a stack of exams and let students pick them, because it exposes students to others’ scores. Another rule is that you can’t associate a students exam with their student ID

As a comparison, at my Uni in the 1970s individual grades were posted along with corresponding social security numbers.


Why do the paper thin walls between exam rooms at my doctor's office that allow me to hear entire conversations while I am waiting (and waiting) not violate HIPAA?


Reasonable precautions. I've been top IT management in healthcare for 8 years, I'm very well versed with this concept. HIPAA isn't "PHI is Eyes Only Secret!" it's "you have to take reasonable precautions to safeguard data from bad actors." I have a wall between the rooms, each room has doors, and when the doc is talking with you, you can't hear a lot from the next room over. We don't have to make walls soundproof and doors sealing airlocks.


Clinics that deal with the most sensitive medical needs tend to be more careful. HIV testing, reproductive health, psychiatry, hospice.


You missed one of the biggest, one so important it has its own, separate, overriding privacy law: Substance use disorders. (Though perhaps you can argue it’s in psychiatry!)

Addiction treatment falls under 42 CFR II, colloquially known as “part 2”[0]

Part 2 data is significantly more encumbered than other medical data. If I want to get it I need to be explicitly allowed as a named entity by the patient to receive it. If the data is shared with me under a “general designation”whoever gave it to me has to record that and tell the patient on request. And I have no TPO carve outs, I have to get explicit consent to pass it along.

It is, often times, treated as radioactive data - my company deals in medical data but explicitly says in our contracts that we refuse any receipt of it.

0: https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A...


[flagged]


Posting like this will get you banned again. No more of it please, regardless of how right you are or feel you are.

https://news.ycombinator.com/newsguidelines.html


This was not a productive, nor necessary comment. Please retract it and take it elsewhere. It has no place on HN.


[flagged]


I did use it.

From the HN Guidelines:

“Please don't use Hacker News for political or ideological battle. That tramples curiosity.”

You indeed have the right to your opinions. That does not mean that HN must accept and provide a venue for them.

Good luck to you.


Once, and never again, I declared my desire to a front-desk nurse that I wished to record my session in an Urgent Care facility.

She said no, that is prohibited, because it is a HIPAA violation. She was clearly smoking crack.

Now I simply record surreptitiously.


A healthcare facility knowingly permitting recording on-premises may indeed be a HIPAA violation.


78% false. Please do not discourage patients from exercising our rights and accessing our own PHI, like this crack-smoking nurse did to me.

https://www.aetnainternational.com/en/about-us/explore/healt...

https://www.alight.com/blog/can-patients-record-doctors-offi...

https://www.verywellhealth.com/secretly-recording-your-docto...

You've got to understand: clinic visits are very stressful, time-limited, and high-pressure. Doctors don't write anything down, but it's crucial that the patient rememberd everything that was said, with high accuracy and confidence. Audio recording is our best tool to these ends.

I'm glad I don't live in California!


The problem isn't your PHI, nor is it a legal problem for you. The problem is them knowingly permitting you to record in a situation where you may capture someone else's PHI. (As in the "shared hospital rooms" example we're in a discussion thread of.)

You've also mixed up what's legal for you to do (record, in a single-party state) and what's legal for them to permit by policy (knowingly agreeing to recording). You won't get arrested in a single-party state for recording; it can still violate the clinic's policy, and they can make the decision not to continue doing business with you after.

No one's going to stop you from writing down a note, though. Thinking "doctors don't write anything down" is universal may indicate you need a better one; mine definitely does, and I get sent the summary shortly after my visits.


What is the moral difference between me hearing someone's PHI, and writing it down in a note, and my phone hearing it? Let's stipulate that all smartphones are always and everywhere listening to everything, and sending it to someone; it may as well be me.


> What is the moral difference between me hearing someone's PHI, and my phone hearing it?

In a court, hearsay is inadmissible; a recording (critically different than mere hearing) is far more likely to be admissible. That's for a good reason. (HIPAA compliance is also not a strictly moral question, but a legal one.)

> Let's stipulate that all smartphones are always and everywhere listening to everything, and sending it to someone...

Even if you're using something like "hey Siri" or "OK Google", that's not how they work.


Your argument is also misleading.

HIPAA is a baseline rule set. Providers are free to set more restrictive rules than what HIPAA defines. They often do so they have buffer room better their rules and HIPAA violations.

Further, HIPAA is not the only rule governing you and your providers interactions. A private institution is free to set its own rules (with its legal obligations) and can have you leave if you don’t follow them.


my favourite part of the "reasonable precautions" explanation is the possibility that if you are a known PHI leaker, the hospital might have to segregate you - (or even be able to refuse treatment)

weird


One of the interesting rules of HIPAA is that if it starts analog, it doesn't have to conform to encryption technologies, i.e. phone calls and fax machines don't require the complexities a digital system, like an electronic medical record, require.

When HIPAA was created, a large impetus was getting large health systems onto electronic records. Portability and accountability reigned high. And there's a lot of information and misinformation about this.

Attorney general letters help clarify a lot of it.

But sharing a hospital room doesn't violate anything related to HIPAA because that isn't what the law protects.


The second comment feels closer to the mark. While post-hoc justifications could be made as to why a rule at least in spirit seemingly about patient privacy ignores an obvious and glaring privacy flaw, if the parties involved could be so honest, the real-world answer why it’s allowed would probably be

> “It would be extraordinarily inconvenient and expensive for it to work otherwise.”

Sprinkle on a little bureaucrat-ese and post-hoc justification and you get the “clarified guidance” the primary comment calls out


It's about the confidentiality of electronic medical records, not about patient privacy.


If we’re discussing

> What is the motivation behind keeping medical records confidential, why do we actually care?

A respect for the patient’s privacy is likely going to be one of the driving reasons, if not the primary reason itself.


No, that's not the actual reason! The reason the rule exists is because, when HIPAA was passed, electronic patient health records were a new thing, and they were desired both for cost savings (electronic records as a way to drive administration costs down were a huge thing in the 1990s) and so the USG could combat Medicare fraud. The confidentiality rule was designed to ease the acceptance of electronic records; that's all. That's why the rule refers to e-PHI.


You’re correct regarding historical procedure, but with regards to the privacy rule, which was added shortly after its creation and at least online is much of why the act is known and discussed today, the rule exists to, quoting the government’s description,

> The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.

We allow a major hole here in that protected health information by willfully careful readings of “appropriate safeguards” and “limits and conditions”, essentially because doing otherwise would be a nightmarish expense and pain.


HHS was authorized by statute to make a specific set of rules to address a specific issue. When we refer to "The Rule", we're referring to HHS's rulemaking process, which is governed by the statute, which spells out what the rule is about.


The house (insurance companies) always wins


Because by walking into the hospital, you already gave away the info to any bystander. And all variations thereof.


If you're coming in for a disembowlement, sure, but even then you're only really revealing the condition; your name, history, insurance details etc. are still private information. (The hospital would also still be forbidden from, say, publishing "amelius came in today with with a minor disembowlement" without your permission, no matter how public it was in the waiting room.)


In the waiting room they usually don't shout out "Geoff, who's here for the cock wart, the doctor will see you now"... they just say "Geoff, the doctor will see you now."

Btw, my name's not Geoff.

(Just to be a bit more plain.)


The top comment here is very reasonable, but I still think the application of HIPAA has been a giant mess, reflecting a disdain toward patients similar to everything else in the US healthcare system.

I've ranted on here plenty about how often I've dealt with incorrect bills, and HIPAA plays into that as well. My private information can be shared to "traveling doctors", it can be shared with woefully incompetent contractors who handle billing (or, pretend to), and I received a notice last year that my information had been involved in a data breach and I'm not expecting any compensation. When I had to get a very private and sensitive part of my body imaged, they'll gladly announce to the waiting room my name and what procedure I'm there for, even though it's a rather private and sensitive part of my body - very similar to the shared room concern. I don't care that the people in that room aren't likely to misuse my healthcare information, I don't want them knowing where I found a lump anyway.

And yet HIPAA is often cited to me over the phone as the reason why we can't seem to get incorrect bills figured out for my dependents. It doesn't seem to me that HIPAA actually does much to protect my privacy, but it sure gets used to obfuscate things when there's a problem.


I once went to the dermatologist, the doctor left the room briefly and had the computer screen open with everyone’s full name and reason for the visit that day…could see who was there for genital warts, Botox, etc. I don’t think anyone should expect that their health info remains private at any point


What your doctor did is actually a HIPAA violation. He's a covered entity and securing computer screens is a standard precaution for such.

In reality, a lot of doctor's offices are not well versed in HIPAA because many are de facto small businesses. Large hospitals and insurance companies generally have better knowledge of HIPAA and HIPAA compliance.


I just wish we would all stop pretending that everyone's medical info is protected when it clearly isn't...so now we have the worst of both worlds. All the red tape of HIPAA compliance with no actual privacy anyway. And it's plenty of red tape. I have to now find a FAX machine to send test results to a doctor, because according to him that's the only HIPAA compliant method that he accepts, but the sending doctor doesn't have a fax machine.


When I was in my teens, I chose to go on birth control pills when I became sexually active. Years later, I learned that the pharmacist was a friend of my mother's and told my mother I was on the pill.

Fortunately, my mother bit her tongue and said nothing to me until years later and just was glad I was not being stupid and would not end up pregnant out of wedlock. It could have gone really bad places for me if my mother were inclined to be abusive about it.

These days, a pharmacist is more likely to think twice before sharing that kind of info because it's illegal to do so and it could come back to bite them big time.

HIPAA also helps protect people from discrimination who have medical issues like STDs -- which aren't always sexually transmitted or may be transmitted because someone was assaulted, but some people will just be judgy and not give you the benefit of the doubt and it's a nightmare to have to defend your virtue and tell random strangers "I'm not a whore. I don't sleep around casually. I was raped at gun point." or some such.

Sorry it's such a pain in the ass for you. It's something that helps prevent casually ruinous oversharing for some people.


two seconds to clear the screen. a few dollars for a privacy shield.

your doctor was more than a little careless and, knowingly or not, relied on you to not cross any lines.

if that’s not concerning to you, fantastic… but for some reason you didn’t name the doctor, perhaps because you know others disagree. nor did you name the patients.

huh.

guess your doctor made a safe assumption about you. who else saw the warts list that day?


Had an emergency room visit for a somewhat bloody mishap with my son (he's ok.) The resident texted the on call surgeon pictures of the problem from his personal phone to determine if the surgeon should come in for a surgery. The pictures I saw on his phone of other patients as he set up the text were a hellscape of blood and gore!


Agreed, the individual records are not specifically secret. The regulations are to prevent unauthorized disclosure and misuse.

Unfortunatly that leaves a lot of leeway. The major EMR vendors are all aggregating patient data in cloud services and taking it across borders to where there is no transparency for what is being done with it. The regulations were written with a 90's understanding of technology.

A more appropriate regulation today would be to create a category of legally privileged PHI that is strictly inadmissable in legal proceedings and with heavy fines for unauthorized use and disclosure. However, I don't see privacy legislation getting any better as the people inside govt and academia absolutely hate privacy as a concept because they are the specific targets of limiting their discretion about whose data they can snoop. We're in an era of institutional capture by people without ideals or principles, and it's probably unwise to expect altruistic public interest policy like 90's-style privacy legislation from any of them anytime soon.


In the medical field, the academics who "snoop" your data are doing so to conduct analyses and build models to improve your care.


Ask them how they feel about having their names and the names of the people they hire attached to queries of PHI in aggregated health information repositories, and whether those people have had the level of background checks that public service staff who typically do this have had. Then ask them whether they will bear any accountability for losing the data they are entrusted with, have their REB decisions subject to freedom of information, or be subject to consent directives by patients, and why they engage big-N consulting firms to misrepresent system design on their behalf. Then ask them whether the research is restricted to clinicial and biological research, or if their "research" includes providing data people in the social sciences.

Technically, they are building models to publish or perish, establish data feifs in their institutions for attracting grant money, and to support policy objectives for the revolving door between gov and academia and some troubling third party NGOs, with "care," being a distant abstraction.

The academics I encountered doing privacy work for PHI data sets seemed to be interested in everything except responsibility and stewardship. My care indeed.


> And yet HIPAA is often cited to me over the phone as the reason why we can't seem to get incorrect bills figured out for my dependents.

That's actually a great reason to refrain from discussing someone else's medical data with you. That it is inconvenient for you is certainly bad, but that is a non sequitur.

> It doesn't seem to me that HIPAA actually does much to protect my privacy, but it sure gets used to obfuscate things when there's a problem.

If we allowed Bill Handler, Inc. try their hand at securely implementing "for the purposes of this call, pretend I'm someone else," you're going to have TWO_PROBLEMS * NO_OF_DEPENDENTS


HIPAA is sort of a joke to me. My perspective being that of a patient. Any doctor's office just blindly asks you sign a HIPAA authorization release form. Most patients don't realize that you have a choice to "opt out" and not sign it. But even then it doesn't matter because under HIPAA the provider may still choose to share your personal information for their own reasons.

Sure, I am doing a lot of "hand waving"- I'm not an expert on the law. I'm merely sharing my perspective on this. Would love to understand more about this specific authorization...


> Any doctor's office just blindly asks you sign a HIPAA authorization release form.

I've never been asked to waive my rights. I have been asked to sign that I received their notice of privacy practices. (Almost always having not been actually given any to read, which is fairly infuriating.)

> But even then it doesn't matter because under HIPAA the provider may still choose to share your personal information for their own reasons.

Only in certain specific situations.


> Any doctor's office just blindly asks you sign a HIPAA authorization release form.

You are incorrect. You are being asked to acknowledge that you received a copy of their privacy policies. You can decline and it doesn't change very much (if anything), because they will still document that they informed you of them... which they did.

It's understandable that people don't read what they're signing; I often don't have time, either. But you are posting about that form having not paid much attention to it, which is less common, in my experience.


Any HIPAA authorization form I have signed has had me spell out who is allowed to have access to my records, like my wife or another Doctor’s office. Did you read what you signed?


HIPAA was never meant to prevent direct communication between clinicians regarding a shared patient's healthcare needs and issues in order to provide the best and safest care possible.


I have a domain name that's similar to a medical facility. Sensitive medical data gets emailed to the wrong recipient all the time and it's usually operator error.


I used to work for a company which made EHR systems, and there was one product which distributed client software updates via email. As in, they would attach an *.msi file and send it.

It was a weird conversation, where we both ended up looking at each other like the other one was a total moron.


My name and domain is similar to a huge transportation company so I frequently get quotes for big jobs, plus times and dates for large truck shipments.


This might be advantageous if you are also receiving inventory for these shipments if you're the type to make that information available to interested parties


Ditto, only my domain is unfortunately similar to a major (non-us) airline.

The tarmac reports can be oddly entertaining sometimes. I still wonder how an alcohol bottle became embedded in a runway a few years back.


This is why "code is law" as a crypto meme was a little silly. Law is often intentionally flexible!


I think you can drop the "often". Law must almost by definition be flexible because there are so many things in life that aren't as simple 'yes' or 'no'.


I'd actually come to the opposite conclusion here. Unless you think this violation of privacy is OK?


I think this violation of privacy strikes the correct balance. Hospitals (especially ERs) are already quite full on a regular basis; making every room private would do substantial physical harm to many patients who'd wait much longer for treatment or have to forgo it entirely.

(Perfect privacy would also require soundproofed rooms for phone calls, mantrap doors for patient rooms so you can't get an inadvertent peek while walking by, and probably dozens of other expensively impractical mitigations.)

HIPAA requires "reasonable safeguards" to permit this sort of balance to be struck.


Just make all rooms private and build more rooms or hospitals. It's not rocket science.

Relative to the already absurdly high health care costs, the construction costs should be pretty small.


> build more rooms or hospitals. It's not rocket science

The hospitals near me have been expanding as fast as they can. Absolutely constant large-scale construction. It's not rocket science, but it's not a Thanos finger snap either.


Meh, just one more if() needs to be added :)


Because that would be unreasonable and impractical.

Next question please.


Because that would be expensive.


It is legal because you are agreeing to it. Otherwise get up and leave.


You can't agree to OHSA violations, or to a sub-minimum wage. A hospital conditioning treatment on a HIPAA waiver having been signed will quickly find itself the subject of regulatory scrutiny.

I went to war with a doctors' office that claimed their non-compete clause meant I couldn't transfer my medical records to a doctor who'd left the practice I wanted to follow.


A paper that says "I agree to a sub minimum wage" is illegal.

One that says "I agree to share my medical info with XYZ" is not. Every hospital already makes you sign this when you are admitted, otherwise they wouldn't be able to function.


Such a voluntary waiver is legal, yes.

Refusing to treat you if you want to keep your rights, less so.

The thing they have you sign is an agreement that you received a notice of their privacy practices (laying out your HIPAA rights). It isn’t a waiver.

Hospitals don’t need a waiver to operate. HIPAA already permits them to share internally, with billers, etc.


In the context of hospitals waivers are not that voluntary, at least in the US and Canada, since doctors and nurses can't be forced to treat people if they really don't want to.

And there is a decent chance in many hospitals that they will at least drag their feet, since they would be exposed to much greater liability.

I know this situation specifically is not quite a waiver, but it will likely have some effect on hospital staff's attitudes.


Hospitals are under zero potential HIPAA liability for sharing information internally for the purposes of providing care. It's expressly permitted by the law, without any authorization required.

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...

> Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.18 Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.

The thing you sign all the time is acknowledging receipt of the provider's privacy practices. It's an entirely different thing; it is by no means a waiver of any rights. https://www.hhs.gov/hipaa/for-professionals/faq/notice-of-pr...

> Yes. The HIPAA Privacy Rule requires that a covered health care provider with a direct treatment relationship with individuals make a good faith effort to obtain written acknowledgments from those individuals that they have received the provider’s notice, regardless of whether the provider also chooses to obtain the individuals’ consent.

You can refuse to sign that. They'll document the refusal, which changes nothing. It's like your Miranda rights when you get arrested; they tried to inform you of your rights under HIPAA. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance...


I meant it in a more prosaic sense, for example the receptionist could put those who refuse in the bucket of 'potentially troublesome patients'. And receptionists talk a lot with other staff.

Or various other scenarios.


That a doctors office can have a non-compete boggles the mind


I assume the non-compete agreement was between the doctor and the practice, which seems somewhat reasonable.


Yes. They took the position that their non-compete (and our general "we agree to clinic practices") with their doc took precedence over our HIPAA rights, which NY... disabused them of.


Because health privacy is not ALWAYS HIPAA. In fact, it's almost never HIPAA... except for the fact that some Karen's learned the term HIPAA and now they think it's always HIPAA [1].

Unless it's digital health record-related, then it's probably HIPAA.

If you're really curious, you can read HIPAA [2] and HITECH [3]. Combined, they are about 600 pages of dense dense legalese.

[1] https://www.hipaajournal.com/is-it-a-hipaa-violation-to-ask-... [2] https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW... [3] https://www.govinfo.gov/content/pkg/PLAW-111publ5/pdf/PLAW-1...


> some Karen's

As an aside: I wish this meme would die.

> For the same reason, the Karen meme divides white women themselves. On one side are those who register its sexist uses, who feel the familiar tang of misogyny. Women are too loud, too demanding, too entitled. Others push aside those echoes, reasoning that if Black women want a word to describe their experience of racism, they should be allowed to have it. Hanging over white women’s decision on which way to jump is a classic finger trap, familiar to anyone who has confronted a sexist joke, only to be told that they don’t have a sense of humor. What is more Karen than complaining about being called “Karen”? There is a strong incentive to be cool about other women being Karened, lest you be Karened yourself.

https://www.theatlantic.com/international/archive/2020/08/ka...


From https://www.hipaajournal.com/what-does-hipaa-cover/

> The HIPAA Privacy Rule applies to all forms of health information, including paper records, films, and electronic health information – even spoken information.

HIPAA is not as limited as you state.


but it only applies to covered entities and business associates.


True. That covers the hospital rooms in this article. It doesn’t mean that your barber can’t ask to see your vaccination card.


One of the easiest questions to ask of someone who shouts “HIPPO violation!” is “covered entity or business associate?”

“Yes, Dunkin Donuts can give you a free donut if you show your Covid vaccination card. No, the donut shop is not a covered entity or a business associate, so they aren’t bound by HARPO.”




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: