[hn_throwaway_99]

Just thought the call out for "Protected Health Information" was weird, and it's wrong. If you're just having small talk with someone on a zoom call and you say "Yeah, that last COVID booster really wiped me out, I was in bed for 2 days", that doesn't mean the call contains "PHI".

First of all, you shared it. The whole reason for protecting PHI in the first place is limiting what others can do with your information, not what you can do with it. And if you share it willingly, and not for medical purposes, it doesn't mean that the person you shared it with suddenly has a higher burden of security/privacy with that info.

Just calling this out because so often see people that fundamentally misunderstand what "PHI" means in a legal sense, and specifically what the HIPAA regulations require.

[kryogen1c]

> And if you share it willingly, and not for medical purposes, it doesn't mean that the person you shared it with suddenly has a higher burden of security/privacy with that info.

Almost but not quite. I came to comment on this bullet point in the article because misunderstanding about PHI is so prevalent its nearly a meme.

PHI doesn't have anything to do with willingness or sharing. PHI is not a meaningful term constructed of its component words - its a specific legal term under hipaa. Any (noncovered entity) company can ask you anything about your health and it doesn't matter - airlines, restaurants, event venues, etc. They're allowed and it doesn't have anything to do with hipaa and they are not collecting/storing PHI.

HIPAA applies specifically to covered entities under its law. Its basically health care providers and health insurance companies. If you aren't one of those covered entities and youre not telling that info to a covered entity, there is no PHI.

If you want to boycot somewhere asking about covid or whatever - get down with your bad self. It just doesn't have anything to do with HIPAA.

[hn_throwaway_99]

Thanks, you're correct. I didn't mean to imply that PHI was defined by willingness to share it, I meant that the whole reason for "protecting" HI in the first place is for giving control over that information to the people it's about.

A specific example: I work on an app that does include HIPAA-regulated PHI, and sometimes I'll demo stuff in production by demoing my own personal account. I usually preface it by saying "This is my account, so it's OK to share" so folks know I haven't just pulled up someone else's data. If I had pulled up someone else's data and shared it without their consent, that would be a HIPAA violation.

[nobody9999]

>HIPAA applies specifically to covered entities under its law. Its basically health care providers and health insurance companies. If you aren't one of those covered entities and youre not telling that info to a covered entity, there is no PHI.

An excellent point. Which is why I don't share my Fitbit data (uninstalled the app after set up, no syncing of data) with Fitbit (now Google) and will (assuming it works as advertised) likely be moving to a MiBand with GadgetBridge[0] in the near future. And thanks to vanous[1] for posting[2] here about it a couple weeks ago.

I have no interest in sharing my health (exercise regimes, sleep cycles, heart rate, etc.) information with folks whose raison d'etre is to snarf up as much data as possible. What's more, since these folks aren't "covered entities" under HIPAA, they aren't required to put in the special safeguards for your health data.

And more's the pity.

[0] https://codeberg.org/Freeyourgadget/Gadgetbridge

[1] https://news.ycombinator.com/user?id=vanous

[2] https://news.ycombinator.com/item?id=32965166

Edit: Fixed typo.

[Spooky23]

I get what you’re saying but that data isn’t meaningfully protected by HIPAA, and is pretty trivially derived based on available data.

Data brokers for pharmacy have your prescription data, your doctor is not protected information and other aspects of your care are available to many entities for purposes like insurance subrogation that also create data products.

HIPAA protects you from gossiping clerks at health facilities and HR. It prevents the use of some bad IT practices, and forces you to sign lots of disclosures. That’s about it.

If you want that type of information to be private, don’t collect it or don’t share it with 3rd parties in an accessible form.

[nobody9999]

>If you want that type of information to be private, don’t collect it or don’t share it with 3rd parties in an accessible form.

Yes. Absolutely.

I thought that was what I said. Perhaps what's in my head didn't make it to the comment?

[asyncscrum]

One on my major takeaways from the calls was how many people were visibly sick yet still working and getting on calls. WFH has really destroyed the concept of stay home and get some rest.

[noirbot]

That said, I've definitely called in to things while sick because I didn't have anything better to do. Watching TV all day wasn't going to make me get healthier faster than watching a business presentation, and as long as my team understood that I was a little out of it, the normalcy of being "at work" helped me not just feel lazy and terrible.

[TecoAndJix]

I preach ”don’t be a martyr” to anyone and everyone that listens, especially when I’m on a call and they mention they are not feeling well. Sure - there are meetings and engagements you really don’t want to miss (stuff like the boss’s boss will be on the call) but as long as you are not calling in sick all the time, no one cares! They usually say “oh shit I hope they feel better” and stop thinking about you.

[wlonkly]

I think that's always been the case, unfortunately. Quotas don't have sick days.

[plorkyeran]

Stay home and get some rest was destroyed long ago. They used to just show up to the office visibly sick.

[psteitz]

I think you're kind of missing the point. The author was just pointing out that lots of personal health-related info was being recorded in the calls. When you know a call is being recorded it is kind to steer the conversation away from content that the person you are talking to may not want broadly shared. Prospects may be told that the calls are being recorded but they may not realize the implications of that.

[hn_throwaway_99]

Note the author updated his post in response to my comment. It originally said "protected health information", which is what I was reacting to. PHI is a very specific thing in US law, and increased legal exposure when handling PHI only applies to very specific entities.

The reason I commented is because there is a ton of misunderstanding in the real world that confuses "Joe isn't on the call today because he's got COVID" with the legal responsibilities that, say, your doctor has when sending you your COVID results.

To be honest, I think there is a lot of unnecessary concern over health information due to this misunderstanding. Obviously there is a ton of information that people prefer to keep private, but in those cases, they keep it private, or would at least tell you not to tell anyone. Due to the misunderstanding about PHI, I think people mistakenly confuse any banal health information as inherently requiring a higher level of protection/discretion, and this isn't really true. Frankly, there is a ton of other info that people probably want to keep more private than whether or not they had COVID (these days, who hasn't?) or whether someone is pregnant (usually makes itself self-evident in any case).

[hnbad]

HIPAA aside, this is PII under the GDPR and fits the definition of "health information" which (like political affiliations, religion, etc) is given special protections under the GDPR. Typical social media profiles are actually a minefield.

Then again, a ton of practices described in the article are probably blatant violations of the GDPR like scraping LinkedIn to track the titles and job changes of champions. I guess a PII request under the GDPR would include data stored in Salesforce, which would make the result fairly awkward depending on what information sales people decide to keep in there.

Given that I've seen companies having to explain to sales people that they can't just repurpose dodgy e-mail lists for direct sales outreach without having any records suggesting the victi-... err... "prospects" consented to that use, I wouldn't be surprised if most sales teams are violating the GDPR left and right on a daily basis.

[bagels]

Is anyone who is not a health care provider even bound by any PHI rules?

[colechristensen]

When information comes out of a relationship with a healthcare provider, it's PHI.

That information is tainted with the restrictions and keeps them regardless of where it goes. If it gets disclosed outside of that it becomes a violation.

So nobody working for a hospital you get care for can disclose things. Nobody the hospital hires to provide services or handle your data, etc.

You can sign away those rights or give your own information away.

If the data doesn't come up through a relationship with a healthcare provider, it's not PHI.

[hn_throwaway_99]

Yes, lots of data storage companies are - that's why these companies sign BAAs (Google HIPAA BAA for info).

There are some carve outs. For example, financial services companies don't have any additional privacy requirements if you buy a prescription with your Visa instead of cereal. That carve out was specifically added to the HIPAA legislation.

[manv1]

Yes.

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...

Note that this is a high-level summary.

[bagels]

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form... covered entities...

I think this just means health care industry and those who build systems for health care information?

Going to keep researching, but I don't think that it applies to literally every workplace.

[rish1_2]

Any working professional that is handles PHI is bound by it and not just health care professionals. This could also be managers in a hospital. An individual is not.

[manv1]

The HIPAA privacy doesn't apply to employers, unless that employer is self-insured. There are a bunch of rules around that.

But PHI as a concept doesn't need HIPAA. In fact, it's probably good practice to isolate PHI, even if you don't need to be HIPAA-compliant. The PHI is only one join away anyway.

[asyncscrum]

True, will update the article. I still found it somewhat surprising.

[jedberg]

I think it was more along the lines of "Jenny isn't on the call today because she's out with COVID, which is extra bad because she's pregnant".

It's not HIPAA protected because that person isn't Jenny's doctor, but it's still PHI.

[hn_throwaway_99]

No, it's not. That information may be "HI", but it's not "PHI", that is the "protected" part has a specific legal definition under HIPAA, and nobody in that call has any additional legal requirements based on the fact that someone said Jenny is pregnant.

[jedberg]

Doesn't that depend on how they know that information? If that's Jenny's boss on the phone and she shared that with her boss so she could claim FMLA benefits and days off for health reasons, doesn't her boss have a duty to keep it private?

[0x457]

No. HIPAA is about sharing PHI between covered entities. P stands for Portability. Unless Jenny is working in one of those covered entities and Jenny's boss learned about her covid and pregnancy by pulling PHI - then no, it's no under HIPAA.

Her boss doesn't have a duty to keep it private in any legal sense. Jenny can ask not to tell anyone, but legally, it doesn't matter.

[wizofaus]

To clarify, the P in HIPAA is "portability", in PHI it's "protected". Confusingly there's also PII where it's "personally".

[lazyasciiart]

PHI is a technical term that means you are talking about HIPAA restrictions. Other laws can very well limit what you can share, but that doesn’t get referred to as being PHI.

[sceutre]

I don't think the acronym helps. I should know better but still read it as Personal Health Information in my head