[kryogen1c]

> And if you share it willingly, and not for medical purposes, it doesn't mean that the person you shared it with suddenly has a higher burden of security/privacy with that info.

Almost but not quite. I came to comment on this bullet point in the article because misunderstanding about PHI is so prevalent its nearly a meme.

PHI doesn't have anything to do with willingness or sharing. PHI is not a meaningful term constructed of its component words - its a specific legal term under hipaa. Any (noncovered entity) company can ask you anything about your health and it doesn't matter - airlines, restaurants, event venues, etc. They're allowed and it doesn't have anything to do with hipaa and they are not collecting/storing PHI.

HIPAA applies specifically to covered entities under its law. Its basically health care providers and health insurance companies. If you aren't one of those covered entities and youre not telling that info to a covered entity, there is no PHI.

If you want to boycot somewhere asking about covid or whatever - get down with your bad self. It just doesn't have anything to do with HIPAA.

[hn_throwaway_99]

Thanks, you're correct. I didn't mean to imply that PHI was defined by willingness to share it, I meant that the whole reason for "protecting" HI in the first place is for giving control over that information to the people it's about.

A specific example: I work on an app that does include HIPAA-regulated PHI, and sometimes I'll demo stuff in production by demoing my own personal account. I usually preface it by saying "This is my account, so it's OK to share" so folks know I haven't just pulled up someone else's data. If I had pulled up someone else's data and shared it without their consent, that would be a HIPAA violation.

[nobody9999]

>HIPAA applies specifically to covered entities under its law. Its basically health care providers and health insurance companies. If you aren't one of those covered entities and youre not telling that info to a covered entity, there is no PHI.

An excellent point. Which is why I don't share my Fitbit data (uninstalled the app after set up, no syncing of data) with Fitbit (now Google) and will (assuming it works as advertised) likely be moving to a MiBand with GadgetBridge[0] in the near future. And thanks to vanous[1] for posting[2] here about it a couple weeks ago.

I have no interest in sharing my health (exercise regimes, sleep cycles, heart rate, etc.) information with folks whose raison d'etre is to snarf up as much data as possible. What's more, since these folks aren't "covered entities" under HIPAA, they aren't required to put in the special safeguards for your health data.

And more's the pity.

[0] https://codeberg.org/Freeyourgadget/Gadgetbridge

[1] https://news.ycombinator.com/user?id=vanous

[2] https://news.ycombinator.com/item?id=32965166

Edit: Fixed typo.

[Spooky23]

I get what you’re saying but that data isn’t meaningfully protected by HIPAA, and is pretty trivially derived based on available data.

Data brokers for pharmacy have your prescription data, your doctor is not protected information and other aspects of your care are available to many entities for purposes like insurance subrogation that also create data products.

HIPAA protects you from gossiping clerks at health facilities and HR. It prevents the use of some bad IT practices, and forces you to sign lots of disclosures. That’s about it.

If you want that type of information to be private, don’t collect it or don’t share it with 3rd parties in an accessible form.

[nobody9999]

>If you want that type of information to be private, don’t collect it or don’t share it with 3rd parties in an accessible form.

Yes. Absolutely.

I thought that was what I said. Perhaps what's in my head didn't make it to the comment?