[jodacola]

It's not just with LEOs where patient privacy gets dodgy.

I've helped get a number of tech companies HIPAA compliant, so I've become very familiar with the workings and requirements of the act. My wife, a nurse, works in medical claim management. Lots of healthcare knowledge between us.

I've had some very interesting conversations with her because of a tool she's described being used by insurance companies: medical canvassing. It's an "interesting" tool used by investigators that doesn't technically request PHI, but can paint a picture of one's past medical care.

Basically, an investigator can ask a health care provider a bunch of yes/no questions - "did the patient receive care between $DATE1 and $DATE2?" "yes" "was the patient treated for $THING_RELEVANT_BUT_UNRELATED_TO_CLAIM?" "yes" "okay, thank you, that's all we needed." No "PHI" requested, none provided, but a picture still painted... and HIPAA allows for it.

I'm very curious to know what other interesting methods exist that allow for the circumvention of patient privacy.

[stackskipton]

>Basically, an investigator can ask a health care provider a bunch of yes/no questions - "did the patient receive care between $DATE1 and $DATE2?" "yes" "was the patient treated for $THING_RELEVANT_BUT_UNRELATED_TO_CLAIM?" "yes" "okay, thank you, that's all we needed." No "PHI" requested, none provided, but a picture still painted... and HIPAA allows for it.

How is that not PHI? You asked for treatment information and it was provided. Asking it roundabout way doesn't sidestep HIPAA.

[stevenicr]

I am aiming to help get companies HIPPA compliant and aware this next year, both changing tech stacks and educating. Would like to connect with any resources / checklists / firms / anything that could help me help others understand.

Contact in profile if willing to chat.