recognizing a patient in security footage on Facebook

[zelman]

I think the whole "Illegal things aren't illegal if no one catches them being illegal" argument has been covered sufficiently.

...and it doesn't apply in this instance.

---

Members don't see this ad.

 

[CetiAlphaFive]

I think the argument is, "illegal things aren't illegal if they aren't illegal". How is saying you recognise someone breaching PHI? Do you know what PHI is?

Sent from my SAMSUNG-SM-G920A using SDN mobile

Thank you for opening my eyes to a world of possibilities.

So, to elaborate on the rewording you performed: "Illegal things aren't illegal if they're not illegal because the thing that makes them illegal isn't illegal ifthe person using it illegally asserts they didn't acquire it from the source & the context that would make it illegal, and if you refuse to acknowledge that it's P because you're not on the premises of the place where you acquired it, it's ok?" Did I get that right?

Do I know what PHI is?

I mean... I always thought I knew. What do we really know on this earth anyway? Why are we here? Why is PHI private?

(2) Permitted disclosures: Limited information for identification and location purposes. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:

(i) The covered entity may disclose only the following information:

(A) Name and address;

Hm... You're really making me think here.
What exactly did they mean by "Name and address"

What is a name? Is a PHI rose a PHI rose by any other name?

Is PHI only PHI if it's PHI within a certain proximity to a given premises or is the P in PHI only P in certain contexts?
Is PHI only PHI if I recognize that I obtained it solely as a covered entity in the pharmacy setting? Is PHI only PHI in my mind?

Are you asking me what PHI is in the Descartes sense?

Far out, man

 

[CetiAlphaFive]

If a tree made out of PHI gets chopped down by a pharmberjack in the forst, but no one sees them do it, does the PHI make a sound?

 

[owlegrad]

Thank you for opening my eyes to a world of possibilities.

So, to elaborate on the rewording you performed: "Illegal things aren't illegal if they're not illegal because the thing that makes them illegal isn't illegal ifthe person using it illegally asserts they didn't acquire it from the source & the context that would make it illegal, and if you refuse to acknowledge that it's P because you're not on the premises of the place where you acquired it, it's ok?" Did I get that right?

Do I know what PHI is?

I mean... I always thought I knew. What do we really know on this earth anyway? Why are we here? Why is PHI private?



Hm... You're really making me think here.
What exactly did they mean by "Name and address"

What is a name? Is a PHI rose a PHI rose by any other name?

Is PHI only PHI if it's PHI within a certain proximity to a given premises or is the P in PHI only P in certain contexts?
Is PHI only PHI if I recognize that I obtained it solely as a covered entity in the pharmacy setting? Is PHI only PHI in my mind?

Are you asking me what PHI is in the Descartes sense?

Far out, man

What you posted literally says that name and address is permitted to be disclosed to law enforcement.

And you still seem to think just saying someone's name constitutes a HIPAA violation. It doesn't. You need two elements for a HIPAA violation. PII and PHI. What PHI is released by giving law enforcement a suspects name?

Sent from my SAMSUNG-SM-G920A using SDN mobile

 

[owlegrad]

Also what is the point of making a thread asking a question and then arguing with the replies? Did you just want to get sanctimonious with us?

Sent from my SAMSUNG-SM-G920A using SDN mobile

 

[CetiAlphaFive]

I made the thread because I thought the replies would be interesting, humorous, and stimulating. So far I've gotten mostly what I wanted out of it.
I didn't expect misinformation and half correct/misleading information to be spread.

If the entire thread would've been .gifs of Rex Kwon Do, I would've been extremely pleased.

I'm addressing the inaccurate statements being made in this thread for the benefit of students who may be reading.

It's very telling that only Lord999 and I have read and posted the applicable law.

What you posted literally says that name and address is permitted to be disclosed to law enforcement.

And you still seem to think just saying someone's name constitutes a HIPAA violation. It doesn't. You need two elements for a HIPAA violation. PII and PHI. What PHI is released by giving law enforcement a suspects name?

Sent from my SAMSUNG-SM-G920A using SDN mobile

No, that's quite literally the opposite of what I posted.
What I posted are the extremely limited and specific instances in which the name and address of a patient may be given to LEOs.
I can see how you'd think that if you only read the except I quoted and not the article or section of the privacy rules.

Where are you getting this from?
PII is never mentioned in HIPAA or the Privacy Rules.
PII is to PHI what GFR is to CrCl.
They're pretty close to the same thing, just used by different people in different guidelines.

Let's say "Will E. Nelson" is a patient at X pharmacy. If I'm a pharmacist at X pharmacy, and I go home and post only
"Will E. Nelson" on all of my social media platforms, nothing will come of it?
It's just a name.

Sure, that's an extreme example, but it's meant to test the boundaries of "a name alone isn't PHI"

I think the link that Lord999 posted in the thread earlier specifically and completely addresses your point: 505-When does the Privacy Rule allow covered entities to disclose information to law enforcement

(2) Permitted disclosures: Limited information for identification and location purposes. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:
(i) The covered entity may disclose only the following information:
(A) Name and address;

Now, let's summarize what IS accurate:

You're absolutely right.
A name is not PHI if it exists in a vacuum.

However, this thread isn't discussing a simple name. The very fact that there's a specific section of law that outlines how and when to disclose to LEOs should be a clue that it's not as simple as you're making it out to be.

If a random, anonymous ghost blows a note into a window with the name of a criminal on it, it is not PHI.

A name does become PHI if it is associated with a covered entity or institution/clinic/pharmacy in a document.

If a name is given by an anonymous tipster, that name is not PHI.
That name exists in a HIPAA vacuum, where no covered entities or settings are associated with it.

What if later it somehow comes to light that a covered entity gave the name, and their initials are all over the name's healthcare records.
Does it then become PHI?

What about when the patient/criminal finds out that the covered entity gave their name, and they take the stance that the only interactions the two individuals have ever had were in a healthcare setting.

Given this scenario which conclusion can be made:
A.) The covered entity is psychic
B.) The covered entity is a 00 agent performing surveillance for the local police
C.) The covered entity shared information that they learned solely in the execution of their duties as a healthcare provider.

EDIT:

I just realized, 165.514 also specifies that names, even names in vacuums, must be removed in order to meet the deidentification standard.

 

[owlegrad]

Where are you getting this from?
PII is never mentioned in HIPAA or the Privacy Rules.
PII is to PHI what GFR is to CrCl.
They're pretty close to the same thing, just used by different people in different guidelines.

This is a fair question and I feel I should answer it. I am getting this from the countless HIPAA modules I have had to do over the years. Perhaps I should link to something rather than just go on memory. That is fair. So here is a link:

What is personally identifiable information (PII)? | Privacy | Office of HIPAA Privacy & Security at Miller School of Medicine

I realize the University of Miami is not nearly as good as finding the actual phrase "PII" in the HIPAA legislature, but it would seem I am not the only person who thinks that PII is relevant to HIPAA.

 

[Slippers]

check your privilege

 

[BidingMyTime]

How can anyone ever recognize anyone from grainy video footage anyway. I don't see how possibly knowing a name that matches a face and giving it to police is a PHI violation. The police aren't going to ask you how you know it's that person. Maybe you saw that person on Facebook, maybe they came into your pharmacy and wrote a check for the box of OTC condoms they bought, maybe you heard a friend of a friend talking about this....seriously, either do your citizen's duty and call and report, or do a Sparda and don't, but don't pretend that you are prevented to because of Hipaa, because merely identifying someone in no way says that you ever provided healthcare for them.

 

[CetiAlphaFive]

How to read only the OP and then hit Quick Reply
-Biding M. Time, et al. SDN. 2017.

How can anyone ever recognize anyone from grainy video footage anyway. I don't see how possibly knowing a name that matches a face and giving it to police is a PHI violation. The police aren't going to ask you how you know it's that person. Maybe you saw that person on Facebook, maybe they came into your pharmacy and wrote a check for the box of OTC condoms they bought, maybe you heard a friend of a friend talking about this....seriously, either do your citizen's duty and call and report, or do a Sparda and don't, but don't pretend that you are prevented to because of Hipaa, because merely identifying someone in no way says that you ever provided healthcare for them.

 

[PharmDBro2017]

edit: in on roll bread

 

[BidingMyTime]

How to read only the OP and then hit Quick Reply
-Biding M. Time, et al. SDN. 2017.

I did read the entire thread, and I get that you were trolling (or at least think you are CYAing by pretending that you were trolling.) That is besides the point, it's still a worthy thread for discussion and for future reference. Quite likely someone will zombie this thread 10 years from now, and the more sensible replies they can read in the thread, the better.

 

[CetiAlphaFive]

I did read the entire thread, and I get that you were trolling (or at least think you are CYAing by pretending that you were trolling.) That is besides the point, it's still a worthy thread for discussion and for future reference. Quite likely someone will zombie this thread 10 years from now, and the more sensible replies they can read in the thread, the better.

Hahaha, it's great that you think the profession of pharmacy will still be around in 10 years.

I'll pop back into this thread in 10yrs to promote my food truck.