[spitfire]

IP address, telephone number, city and other identifying information is ALL considered PII.

I work with (adjacent industry) HIPAA protected data, which is considered PII by virtue of knowing Bob Smith is in the system. If they're under a BAA and sending that information to Facebook they're in violation.

If one of my sub-processors did this my lawyer would be livid. But hey, it's Silicon Valley, don't harsh their buzz man.

[sizzle]

How do you even report something this technical to non technical folks who oversee HIPAA? Would you have to do a case study style write up?

[type0]

As if it's binary definition - technical and non technical, unless they're amish I don't see why it can't be reported in plain terms

[dmooney1]

There are plenty of technical people overseeing HIPAA.