Hacker News new | past | comments | ask | show | jobs | submit login

Doesn't telling us the patient's name violate HIPAA in itself?



Good question. I recall having done a Google search and noting that there were not an insignificant number of people with the last name Null in the US, so I wasn't too concerned about posting this. Probably a HIPAA violation, but not a major one.


Methinks the "Bobby" part is fictional. Probably a reference to Bobby Tables.


I wasn't that clever.


You lose plausible deniability by admitting that.


Clearly the patient was an xkcd fan :-)


In this case, probably yes. Might want to remove the post, it's a fairly major violation.

Often, names alone wouldn't necessarily constitute a violation as names are generally not sufficient to count as personally identifiable information... but a name like 'Bobby Null' is, I think, quite unique.

When I was being trained on HIPAA compliance I was told that sole first names are generally perfectly fine, and sole last names can often be fine but should be avoided for very common names. But I should also say that I am not an expert on HIPAA compliance.


I don't know the ins and outs of HIPAA, largely because I don't have to deal with them at all, but I don't see how this should be a violation. That's not to say that it's not, but rather that it seems like an odd rule.

All the post tells us is that a person named "Bobby Null" exists and has medical records, as do most people. It doesn't say anything about this persons medical issues/history at all.

I could learn more about someone by sitting a touch too close to the reception area at a doctor's office.


Also not an expert, but I agree. The violation is only if there is PHI - personal health information released. Stating that John Doe was present at X Clinic is a problem; stating that he exists is not.


Having a record implies that you were present at X Clinic. If it's a specialist clinic, then confirming the existence of patient record could allow someone to infer the condition or a range of conditions. Most clinics won't confirm or deny that a patient is there (or has records) without a release. In this case, though, we don't know where the record was stored.


Good point. My training said no full names, but that was because we were directly associated with a specific product/analysis, so any full names would associate the patient with a particular health... thing.

A name by itself, you are quite right, is not PHI. Thanks for the reminder!


For very _common_ or very _uncommon_ ?


According to howmanyofme.com there are 9 Bobby Nulls in the U.S.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: