It's easier to make sense of when you remember the original purpose of HIPAA, which was cost control and portability (that's what the 'p' stands for!).
The confidentiality rules in HIPAA are part of (IIRC, I think, etc?) the "Administrative Simplification" section, which was about standardizing electronic health care records and making them available to the government for combating Medicare fraud. The law wasn't a sweeping medical privacy bill; it added privacy rules to mitigate concerns people had about centralizing medical records as part of its major purpose.
Which sucks because there is tremendous value in anonymized collections of health records, yet we can’t use these health records for research at all. I realize it was out of scope for the bill, but damned if it didn’t stymie medical research to a ridiculous degree.
Anonymization is hard. Unless you have very accomplished cryptographers defining and implementing anonymization, I do not trust it. That basically means not trusting anyone but large governments and FAANG companies.
That said I do think agencies like NIST should define anonymization standards.
I worked with de-identification of records - it was not only difficult, but also rewarding. The records were used in research, tied to other biomedical data.
Some of it was simply migration of encounter data +/- a date range, with removal of the obvious stuff, too.
Other was cool like NLP on doc notes to ensure stuff like “pt said the school shooting they got this wound from was..” (think: cohort sizes for major incidents are often small and therefore easy to re-id.)
The P in HIPAA stands for Portability, not Privacy. The primary purpose of HIPAA is not to prevent the sharing of confidential patient data, it is to ENABLE the sharing of confidential patient data with anyone who has the right to see it. The issue is the number of entities who claim that they have right to see the data, and the lack of a mechanism for the individual to prevent their information from being shared.
Should Facebook have a right to access your health data? Your opinion does not matter, they wanted it, and they got it. What about the US Department of Transportation? They maintain the right to access the electronic medical records of any person who falls under their regulation, such as pilots and truck drivers. They have been know to go on fishing expeditions trolling through medical records in search of violations. Search for Operation Safe Pilot. I know several people who have either avoided medical treatment because of this issue, or obtained treatment in a foreign country.
I work in healthcare; these views are my own, and IANAL.
> The P in HIPAA stands for Portability, not Privacy.
… sure, that P stands for that. But one of the key sections is literally called the Privacy Rule: "The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information"
> Should Facebook have a right to access your health data? Your opinion does not matter, they wanted it, and they got it.
No. Wantonly sharing PHI with Facebook would almost certainly be a violation of HIPAA … and literally, it's already happened, this year even[1]: "The office warned that entities covered by HIPAA aren’t allowed to wantonly disclose HIPAA-protected data to vendors or use tracking technology" ("Vendors" here included Facebook and the like.) ¹
Now, HIPAA only applies to covered entities. In the context of the OP however, a hospital is a covered entity. Whether eavesdropping is permissible is a good question.
¹I think regulatory agencies across the board have been giving pittances for fines, and these are no exception. There's a real question as to whether enforcement is actually meaningful, but that's separate question from whether there is a right.
It's only "key" in the sense that it's the part technologists and people building PHI-encumbered products have to care about. It's not a key section in the bill itself; in fact, I don't even think it's a key part of the section of the bill it's in (which, I think, is about Medicare fraud).
They have been know to go on fishing expeditions trolling through medical records in search of violations. Search for Operation Safe Pilot. I know several people who have either avoided medical treatment because of this issue, or obtained treatment in a foreign country.
I searched for Operation Safe Pilot, and it looks like they matched up aviation medical clearances with social security disability claims, not with general medical records. If you're claiming for a disability, there's something seriously wrong and you shouldn't be flying, or you're lying about the disability and committing social security fraud. Am I missing anything?
Car dealership customers are always worried about their data. And rightfully so.
The typical car salesman has 15 credit applications in his desk, 5 in his car in some folders he forgot about, 1 in the trash can he accidentally crinkled up instead of putting in the shred box. The managers office is even worse. The finance guys office is even worse. The 'business office' is half decent because the GM/owner is up there often.
On a side note, my friend subleased an office from a medical nurse temp agency/employment agency.
When he arrived (I helped him move in), there were thousands of unsecured files with people's socials and all info needed to get a job in file cabinets.
The office had cleaning service every night from a random cleaning company.
Speaking of that, hospitals still use tons of POCSAG (pagers) and splatter medical everything over those. Course it's illegal to listen due to a bullshit 1987 law... but trivial to do so with a RTL-SDR.
One idea my nefarious side had was to get the med records of individuals and get the address's house cost, and send scary calls/text/messages shaking relatives down with scare-calls. (Or, get the info and get in league with overseas scammers who masquerade as the hospital, and take a cut from that. Would be relatively risky free.)
Obviously I wouldn't do that. But it would be trivial to do.
(Long story short, pager infrastructure needs destroyed.)
I've had a career in hospital IT and operations. The challenge is finding a replacement that is as reliable and accessible as a pager. The replacement communications products out there have some nice features (managing on-call scheduling, interfacing with electronic health records, etc), but it only takes a handful of outages to get everyone to switch back to pagers "just in case."
Similarly, it really irks me how little privacy there is at the chemist/pharmacist/drugstore (listing all synonyms for an international audience).
If I have any questions, they're at the counter with 20 other patrons hearing everything about my medication. Then I take my medication to a separate counter for payment, which is staffed, usually, by a teenager working part-time. Great, now they know what medication I'm on.
Imagine if I were picking up medication for a teenage son or daughter, and the teenager at the counter went to school with them?
At my local Walgreens they're pretty strict about this- they make people stand about 10ft back from the window while waiting. I have seen them ask people to move back if they start encroaching.
I was in the hospital for about two weeks at the beginning of 2022. It was awful. The nurse would come in for evening meds and checks around 10-11 PM. When I was lucky enough to have neighbors who weren't trying to die all night it was usually relatively quiet from midnight to 4 AM. Then things would start to pick up. Phlebotomists making rounds to draw blood before 5 AM. Morning meds between 5-6 AM. Nursing shift change at 7 AM. Doctors doing rounds mid morning. Breakfast mixed in there somewhere. Of course I couldn't actually _do_ anything all day except try to read or play around on my phone, so I spent a lot of time dozing.
I wasn't so lucky for the first week of my stay. I was on IV meds that pushed my BP up significantly, to the point where every time the automatic hourly BP reading was taken it would set off alarms. During the day the charge nurse would usually silence the alarm (from the nursing station) immediately but at night they were understaffed (this was during a covid wave) and the nursing station often wasn't manned. So sometimes the alarm would sound for 20+ minutes. Every hour... all night... Eventually I found a sympathetic nurse who actually knew how to adjust the settings on the machine and disabled the alarm entirely.
At least I didn't have to share a room. That would have been misery.
An overnight stay is for observation not comfort. The hospital wants to gather as many metrics as possible to keep you alive, respond ASAP to issues and dis-chargable to free up room for other sick patients. not give you a hotel bed.
Ricky Gervais had a line that stuck with me back on the podcast with Steve Merchant and Karl Pilkington - `How do people sleep in hospital? They'll wake you up to give a sleeping pill`
Likewise, l hospitals serve food portioned nutritionally for a healthy adult when people who are sick or healing from injury may very well need more calories and protein to fuel their bodies healing.
The last time I was in the hospital (2022) the portions weren't terrible, the main problem was that the food was so damned bland. The first few days it doesn't seem like it's that bad, but by the time you've been eating it a week you just lose your appetite because the food is so unappealing. Not to mention that if you have a test or procedure at the wrong time and miss placing your order (IIRC they stopped taking orders at like 4 PM) you're going to get whatever the cafeteria feels like sending you and it will have been sitting at the nurses station for hours. Yummy.
The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.
My understanding is that FERPA is similar to HIPAA, except for college scores and enrollment information instead of medical records.
But there’s a rule in FERPA where you explicitly can’t leave a stack of exams and let students pick them, because it exposes students to others’ scores. Another rule is that you can’t associate a students exam with their student ID even if it’s a sequence of numbers, because the id is public information, but you wouldn’t expect someone to remember someone else’s id.
(I specifically remember some professors not following the exam rule, probably because they didn’t know or perhaps it didn’t exist yet. I don’t know if anything happened to them but I suspect if anything, they were simply asked to not do that in the future.)
> because the id is public information, but you wouldn’t expect someone to remember someone else’s id.
In my college people definitely remembered other people's IDs, since all you needed to badge into any door they had access to was to write their ID and a 00+(number of replacement badges) to the data track on a swipe card. This gave access to even dorms. This even worked for faculty or Deans who had full access to all academic and athletic facilities.
Clearly nobody would ever know anybody else's public ID, because that would take just going into a study session and looking at the sign in sheet of hundreds of them sitting in the back of the classroom. Or looking at the log of swipes of an event that a dean attended.
I recently learnt on HN that some countries don't publish grades to ALL students at once and still can't think why. It's such an amazing gift to be able to see how much everyone got and the academic competition in its most pure form, while removing some awkwardness of getting results of your work (good or bad) early in your life.
People are too focused on hiding results because someone might feel bad.
While things like FERPA broadly protect most student information in the US, it doesn't exist so that people don't feel bad about their test scores. It limits schools and their staff to using student data for legitimate academic purposes and prohibits other uses that could be bad. That data goes beyond just test scores and could be things related to the students health, social life, behavior, etc. This kind of data doesn't need to shared with anyone that doesn't need to know it.
> you explicitly can’t leave a stack of exams and let students pick them, because it exposes students to others’ scores. Another rule is that you can’t associate a students exam with their student ID
As a comparison, at my Uni in the 1970s individual grades were posted along with corresponding social security numbers.
Readit News
The confidentiality rules in HIPAA are part of (IIRC, I think, etc?) the "Administrative Simplification" section, which was about standardizing electronic health care records and making them available to the government for combating Medicare fraud. The law wasn't a sweeping medical privacy bill; it added privacy rules to mitigate concerns people had about centralizing medical records as part of its major purpose.
That said I do think agencies like NIST should define anonymization standards.
Some of it was simply migration of encounter data +/- a date range, with removal of the obvious stuff, too.
Other was cool like NLP on doc notes to ensure stuff like “pt said the school shooting they got this wound from was..” (think: cohort sizes for major incidents are often small and therefore easy to re-id.)
You don't get a blank check, but there are plenty of studies doing exactly this.
Deleted Comment
Should Facebook have a right to access your health data? Your opinion does not matter, they wanted it, and they got it. What about the US Department of Transportation? They maintain the right to access the electronic medical records of any person who falls under their regulation, such as pilots and truck drivers. They have been know to go on fishing expeditions trolling through medical records in search of violations. Search for Operation Safe Pilot. I know several people who have either avoided medical treatment because of this issue, or obtained treatment in a foreign country.
> The P in HIPAA stands for Portability, not Privacy.
… sure, that P stands for that. But one of the key sections is literally called the Privacy Rule: "The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information"
> Should Facebook have a right to access your health data? Your opinion does not matter, they wanted it, and they got it.
No. Wantonly sharing PHI with Facebook would almost certainly be a violation of HIPAA … and literally, it's already happened, this year even[1]: "The office warned that entities covered by HIPAA aren’t allowed to wantonly disclose HIPAA-protected data to vendors or use tracking technology" ("Vendors" here included Facebook and the like.) ¹
Now, HIPAA only applies to covered entities. In the context of the OP however, a hospital is a covered entity. Whether eavesdropping is permissible is a good question.
[1]: https://www.politico.com/news/2023/04/17/health-industry-dat...
¹I think regulatory agencies across the board have been giving pittances for fines, and these are no exception. There's a real question as to whether enforcement is actually meaningful, but that's separate question from whether there is a right.
I searched for Operation Safe Pilot, and it looks like they matched up aviation medical clearances with social security disability claims, not with general medical records. If you're claiming for a disability, there's something seriously wrong and you shouldn't be flying, or you're lying about the disability and committing social security fraud. Am I missing anything?
The typical car salesman has 15 credit applications in his desk, 5 in his car in some folders he forgot about, 1 in the trash can he accidentally crinkled up instead of putting in the shred box. The managers office is even worse. The finance guys office is even worse. The 'business office' is half decent because the GM/owner is up there often.
On a side note, my friend subleased an office from a medical nurse temp agency/employment agency.
When he arrived (I helped him move in), there were thousands of unsecured files with people's socials and all info needed to get a job in file cabinets.
The office had cleaning service every night from a random cleaning company.
One idea my nefarious side had was to get the med records of individuals and get the address's house cost, and send scary calls/text/messages shaking relatives down with scare-calls. (Or, get the info and get in league with overseas scammers who masquerade as the hospital, and take a cut from that. Would be relatively risky free.)
Obviously I wouldn't do that. But it would be trivial to do.
(Long story short, pager infrastructure needs destroyed.)
It should be messages like "Code red to room xyz with patientID #####"
That would remove anything really actionable.
Whereas I was seeing over FLEX: full name, address, room#, child abuser status, why they're there, medicines. It was fucking stupid, like fuck no.
If I have any questions, they're at the counter with 20 other patrons hearing everything about my medication. Then I take my medication to a separate counter for payment, which is staffed, usually, by a teenager working part-time. Great, now they know what medication I'm on.
Imagine if I were picking up medication for a teenage son or daughter, and the teenager at the counter went to school with them?
She didn't sleep a wink. With all the beeping and alarms and periodic checks and procedures. Mostly involving her roommate.
The next morning she was mentally and physically wrecked. the first thing she told the nurse was, "I want to go home so I can get some sleep.
The nurse laughs and replies, "I hear that all the time. Nobody ever sleeps here".
Now that's messed up. Sleep is the great healer. No sleep is the great destroyer. Is this intentional or institutional insanity or what?
I mean why don't they just put strychnine in the water supply while they're at it?
I wasn't so lucky for the first week of my stay. I was on IV meds that pushed my BP up significantly, to the point where every time the automatic hourly BP reading was taken it would set off alarms. During the day the charge nurse would usually silence the alarm (from the nursing station) immediately but at night they were understaffed (this was during a covid wave) and the nursing station often wasn't manned. So sometimes the alarm would sound for 20+ minutes. Every hour... all night... Eventually I found a sympathetic nurse who actually knew how to adjust the settings on the machine and disabled the alarm entirely.
At least I didn't have to share a room. That would have been misery.
I don't have a medical degree or anything but that's crazy.
(Also, the nurse said nobody sleeps here. Not just the people under observation.)
The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR 164.502(a)(1)(iii). An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule.
Deleted Comment
My understanding is that FERPA is similar to HIPAA, except for college scores and enrollment information instead of medical records.
But there’s a rule in FERPA where you explicitly can’t leave a stack of exams and let students pick them, because it exposes students to others’ scores. Another rule is that you can’t associate a students exam with their student ID even if it’s a sequence of numbers, because the id is public information, but you wouldn’t expect someone to remember someone else’s id.
(I specifically remember some professors not following the exam rule, probably because they didn’t know or perhaps it didn’t exist yet. I don’t know if anything happened to them but I suspect if anything, they were simply asked to not do that in the future.)
In my college people definitely remembered other people's IDs, since all you needed to badge into any door they had access to was to write their ID and a 00+(number of replacement badges) to the data track on a swipe card. This gave access to even dorms. This even worked for faculty or Deans who had full access to all academic and athletic facilities.
Clearly nobody would ever know anybody else's public ID, because that would take just going into a study session and looking at the sign in sheet of hundreds of them sitting in the back of the classroom. Or looking at the log of swipes of an event that a dean attended.
People are too focused on hiding results because someone might feel bad.
But you don’t get the grades of individuals.
As a comparison, at my Uni in the 1970s individual grades were posted along with corresponding social security numbers.