I made the thread because I thought the replies would be interesting, humorous, and stimulating. So far I've gotten mostly what I wanted out of it.
I didn't expect misinformation and half correct/misleading information to be spread.
If the entire thread would've been .gifs of Rex Kwon Do, I would've been extremely pleased.
I'm addressing the inaccurate statements being made in this thread for the benefit of students who may be reading.
It's very telling that only Lord999 and I have read and posted the applicable law.
What you posted literally says that name and address is permitted to be disclosed to law enforcement.
And you still seem to think just saying someone's name constitutes a HIPAA violation. It doesn't. You need two elements for a HIPAA violation. PII and PHI. What PHI is released by giving law enforcement a suspects name?
Sent from my SAMSUNG-SM-G920A using
SDN mobile
No, that's quite literally the opposite of what I posted.
What I posted are the extremely limited and specific instances in which the name and address of a patient may be given to LEOs.
I can see how you'd think that if you only read the except I quoted and not the article or section of the privacy rules.
Where are you getting this from?
PII is never mentioned in HIPAA or the Privacy Rules.
PII is to PHI what GFR is to CrCl.
They're pretty close to the same thing, just used by different people in different guidelines.
Let's say "Will E. Nelson" is a patient at X pharmacy. If I'm a pharmacist at X pharmacy, and I go home and post only
"Will E. Nelson" on all of my social media platforms, nothing will come of it?
It's just a name.
Sure, that's an extreme example, but it's meant to test the boundaries of "a name alone isn't PHI"
I think the link that Lord999 posted in the thread earlier specifically and completely addresses your point:
505-When does the Privacy Rule allow covered entities to disclose information to law enforcement
(2) Permitted disclosures: Limited information for identification and location purposes. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:
(i) The covered entity may disclose only the following information:
(A) Name and address;
Now, let's summarize what IS accurate:
You're absolutely right.
A name is
not PHI if it exists in a vacuum.
However, this thread isn't discussing a simple name. The very fact that there's a specific section of law that outlines how and when to disclose to LEOs should be a clue that it's not as simple as you're making it out to be.
If a random, anonymous ghost blows a note into a window with the name of a criminal on it, it is
not PHI.
A name does become PHI if it is associated with a covered entity or institution/clinic/pharmacy in a document.
If a name is given by an anonymous tipster, that name is
not PHI.
That name exists in a HIPAA vacuum, where no covered entities or settings are associated with it.
What if later it somehow comes to light that a covered entity gave the name, and their initials are all over the name's healthcare records.
Does it then become PHI?
What about when the patient/criminal finds out that the covered entity gave their name, and they take the stance that the only interactions the two individuals have ever had were in a healthcare setting.
Given this scenario which conclusion can be made:
A.) The covered entity is psychic
B.) The covered entity is a 00 agent performing surveillance for the local police
C.) The covered entity shared information that they learned solely in the execution of their duties as a healthcare provider.
EDIT:
I just realized, 165.514 also specifies that names, even names in vacuums, must be removed in order to meet the deidentification standard.