"personally identifiable information" isn't well defined.

I want to show that storm trooper my light saber. Oh... and then talk about it with strangers on a forum.

@Duckula22: What that can mean is if you're talking about your irritable bowel syndrome test groups and you reveal information particular to that group and people know what hospital you work at so it's fairly easy to surmise you are talking about a test group of 10. And oh, since you're talking about the test results, anyone who may know the test subject's symptoms or their attendance at the hospital can determine their role in the test group.

Actually, it has to be two patient identifiers for a HIPAA violation to occur, like first name, last name, age, condition, address, birthday, marital status, or numerical identification.
Sometimes, it is a really hard line to walk and many people accused of violations aren't even aware until somebody says something. It isn't blatant like, "I had John Smith, age 42, who lives on Scranton Street come to me with a case of syphilis his wife doesn't know about."
Saying you had a patient named "John" isn't a violation, but saying you had a "John" with syphilis is...

My wife is a Doctor and her hospital recently 'requested' that no one sign up for or use social networking sites for the time being.

While they can't 'force' them not to, they are strong arming them into not using them until they can figure out a way to not get sued if anyone is stupid enough to violate HIPAA rules.

I like to post odd and severely messed up x-rays, that I take at work, on my Facebook. But Im extra careful to make sure not one piece of identifying info shows up in the picture. All that shows is the knee thats shattered to pieces or the pelvis x-ray with the light bulb in the rectum. Nothing else.

It's not the staff in ED triage, medical records, nurses in the psych unit or even the IT staff... nope it's those students just a few semesters away from being a licensed physician that gossip about patients.
Hospitals make employees go through patient confidentiality training and than spend enormous amounts of money to be HIPPA compliant, and it turns out to be the doctors and med students breaking the rules. That's just great.

The title of this Consumerist story is a little dramatic - the article is only about med-students, not doctors. Those kids will get fired very fast once they're resident physicians working in a hospital everyday if they pull this shit.

This is the same problem that seems to be an issue with most people online. Conqeuences are just not something that are considered when communicating on the internet.

Yes, but even a med-student can expose the school to a lawsuit.

@AndroidHumanoid: I always wondered about that. Even if personally identifiable info has been removed, isn't the x-ray still property of the patient?

If not, who "owns" it and who determines how its used outside of treating the patient?

@savdavid: Yes, and that can put a black mark on a student's record for future employment.

@gemetzel: Very true, and very true for many young workers. A lot of them will vent on the net, not realizing that their boss easily has access to what they are writing. Then when confronting them, they act like it's an invasion of their privacy.

Its not just med students. Ive worked with several health agencies and many just dont think about what provacy means. Ive seen doctors discuss patients amongst themselves, but in an area that is not private. Very few will then post online like this kind of stuff but that doesnt stop the "wow..did you see" type chatter that occurs mong staff, a lot of which does violate patient confidentiality.

@mrsultana: i see what you did there... John with syphilis...

I tried to friend my doctor and dentist on facebook just to see what would happen. My dentist accepted it and my doctor sent me a really nice note saying ethically it was just something she didn't feel like she could do but wished she could.

@Duckula22: Actually what constitutes "personally identifiable information" is defined by HIPAA and its accompanying regulations ([www.hhs.gov]):

What Information is Protected

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

"Individually identifiable health information" is information, including demographic data, that relates to:

the individual's past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

I've worked in healthcare IT for a few years now. You would be astonished at how little information can safely be released. I know of at least one instance in which someone lost a job because of a comment left on Myspace (IIRC). It did not mention anyone by name, and was itself innocuous. But it had sufficient details that others who knew the person in question could add it up and learn more than they should have been able to know.

One of my jobs is to ensure that computer systems are used in ways that keep patients' private data, private. We continually examine even small things ... such as repositioning monitors so that people in a waiting area can't see things (yes, a lot of it is uninterpretable to non-medicos or those not versed in the applications we use ... but we operate on the assumption that this is not a hurdle). It's not very heartening to hear there are doctors in the clinical workforce whose attitude toward privacy is as cavalier as this.

It's not just doctors. I read an article not too long ago about an attorney in Illinois who was discussing information about her clients on her blog or Facebook page. She was fired by her firm and disciplined by the state bar.

@dohtem: More importantly would the guy with the light bulb up his bum REALLY come forward and say "Hey! That's MY X-Ray! Take that down!!!

So... Threads like this are bad? [forums.studentdoctor.net]

I see it all the time with nurses I work with. Not just online either.

@henrygates: That's a big reason why I am very careful what I put up online. I realize that what I post can be read by practically anyone.

@PsiCop: Gracias...was just looking for that.

I've always wondered how this stuff works: you're in a doctor's office and they call your first and last name out in the waiting room? HIPAA rules broken? Not broken? It seems to violate confidentiality. Same with the sign in sheet at the nurse's station.

@gemetzel: Part of why my personal blog and my constituent-contact blog are separate, and I'm careful about what I post on both. Neither one is secret from the other, but it's just easier to keep appropriate boundaries if I don't ever mix the two to begin with.

@thesadtomato: There's an exception for this in the rules, name and sign in sheets. But if the nurse came out and asked for John Doe with genital warts, there might be some issues there.

@PsiCop: i work for a pharma company and we aren't bound by HIPAA but as a company we make it a point to bind ourselves to it anyway.
which really pisses off the sales guys. because if i need to contact them to mention to a doctor that there's a certain patient's paperwork we are waiting for, we can't say the patient's name to them in case they say it out loud in the doctor's office in a non private area accidentally.
so i can say "i haven't been able to reach doctor smith about the paperwork we sent him for patient with the initials C.H., can you ask the doctor to look into that?"
and they email me back and say "who?" and i get to say "initials is all you get. if the doctor has questions his staff can call us. thanks"

@Quatre707: Docs and med students have to go through HIPPA training as well, and HIPPA "violations" are going to be more common among hospital staff that get second opinions from others regarding patient treatments. In other words, the hospital janitor may talk about the guy with the lightbulb inserted somewhere, but the med student may ask his/her attending or peers for their opinions about the 39 year old male with a penchant of consciously misplacing things in his rectum. Which description is more detailed?

That's not to say that docs or med students aren't going to break HIPPA in stupid ways as well. Just that perceived violations are going to happen more frequently with those who actually have to work with the information that is supposed to be protected, even if it's not intentional.

@Lel: oh, I love that thread. It kept my spirits up while I was applying to schools. I think not putting locations up would be a saver there, but violations might be able to be pieced together if someone were determined enough to look through a user's post history.

A friend of mine, lets say her name is Betsy SmithJones lives at 12345 Special-Name St. She went to her DR. Had some blood drawn for some routine tests.

DR. office called her and gave her the results for a biospy for a potentially cancerous growth that had been removed.

Normal screwup?

Oh this one is good.

Betsy SmithJones used to live at 123456 Special-Name St. She moved. Sold the house. The buyer of the house lived in the house for only a short period of time and then sold the house.

The new owner? Betsy SmithJones.

Different person. Same damn name. Even the middle initial, maiden name and year of birth were the same.

Farking unbelievable.

Make matters worse, they both go to the same Dr.

The DR office then named them Betsy1 and Betsy2 to keep this from happening again.

@mrsultana: Ouch, no wonder people are violating HIPAA, all they have to do is fill out a survey regarding number and age of patients with influenza per year.

@StanTheManDean: I've seen that happen. I nursed in a small town, and two women had the same names. One was a drug seeker, the other an upstanding citizen. The drug seeker had used the upstanding gals credit line to do nefarious things, and knew how to manipulate the system to get more drugs by saying she was the upstanding one.

Total disaster. We had to append upstanding gals social security number to her chart, per her request, to make sure it was her, and were under no circumstances to take any med requests via phone also per her request.

I joked with upstanding gal it would be easier to change her name, than disentangle things, and she said she was thinking about it seriously.

Want to feel like a genius and read firsthand where our culture is heading? Read www.lamebook.com

My friend suggested it to be and at times it has similar personal stuff to what this post mentions. Felt as good a time as any to suggest it. I like the Consumerist, I like that site. You might too.

@AndroidHumanoid: Sorry if this a bit crass, but you're an asshole. I would be furious and take legal action if ever someone ever did this to me. Even if there was no way I could be identified.

@mmejanvier: If there's no way you could be identified, how would you know it was you?

@hillsrovey: I've seen Med students for check ups at my doctor's office which was at a teaching hospital. They're still seeing real patients.

@hillsrovey:

You think residents can get fired? How cute.

@Charlotte Rae's Web: My wife's provincial ethics board (psychology) has made it very clear that belonging to Facebook is an ethics violation in part for this very reason.

@subsider34: Number pts and their age is non-identifying information.

The two patient identifier bit is actually JCAHO guidelines for patient safety. Before you do any procedure you should be checking two identifiers such as the patient's name and MR number.

A HIPAA violation is releasing any information that could result in the identification of a patient.

Even something as "innocuous" as discussing the prognosis of "the guy in 405" where non-staff could hear it can be considered a violation.

@Duckula22: Yes, definitely, absolutely.

@AndroidHumanoid: Is your employer okay with you doing this or have you not bothered to get permission from them?

I can pretty much guarantee you that you'd be out the door if we found you doing that where I work.

@H3ion: How about if one just yells out "Genital warts, you're up!"

"younger people were more likely to think that sharing their personal opinions and thoughts was ok, "regardless of their potentially damaging or discriminatory impact on others."

And that is (part of ) what's wrong with my generation.

@AndroidHumanoid: I'm an x-ray tech. I want to friend you on facebook! We show each other images all of the time--no body cares about the patients name, we just want to see the image!

@mmejanvier: Maybe don't shove light bulbs up your bum, then, or at least don't go to the ER to have them removed?

@hillsrovey: There are plenty of doctor bloggers, such as:

[drgrumpyinthehouse.blogspot.com]
[erstories.net]
[medgoddess.blogspot.com]

Etc etc. Not only do I think these blogs are amazing, I think they are GOOD. Most of the stories on the blog are, I assume, composites anyway.

@catastrophegirl: I absolutely agree that the tactics needed to work with HIPAA are a bit awkward. But overall, it works anyway. In your case, initials should be enough for the doctor's office to know who's being discussed.

BTW I like that your company is following HIPAA guidelines even though it's not a covered entity.

careful she's got the funk.