Writing Google Reviews About Patients Is Actually a HIPAA Violation

"According to The Verge, health providers writing Google reviews about patients with identifiable information is a HIPAA violation," writes Slashdot reader August Oleman. From the report: In the past few years, the phrase 'HIPAA violation' has been thrown around a lot, often incorrectly. People have cited the law, which protects patient health information, as a reason they can't be asked if they're vaccinated or get a doctor's note for an employer. But asking someone if they're vaccinated isn't actually a HIPAA violation. That's a fine and not-illegal thing for one non-doctor to ask another non-doctor. What is a HIPAA violation is what U. Phillip Igbinadolor, a dentist in North Carolina, did in September 2015, according to the Department of Health and Human Services. After a patient left an anonymous, negative Google review, he logged on and responded with his own post on the Google page, saying that the patient missed scheduled appointments. [...]

In the post, he used the patient's full name and described, in detail, the specific dental problem he was in for: "excruciating pain" from the lower left quadrant, which resulted in a referral for a root canal. That's what a HIPAA violation actually looks like. The law says that healthcare providers and insurance companies can't share identifiable, personal information without a patient's consent. In this case, the dentist (a healthcare provider) publicly shared a patient's name, medical condition, and medical history (personal information). As a result, the office was fined $50,000 (PDF).

No shit Sherlock

[rsilvergun]

How is this even news? How can you be in any way shape or form involved in the medical industry and not know how HIPAA works? No you can't post stuff about your patience on random internet forums.

Re:

[freeze128]

What do you mean 'I can't post stuff about my patience'? I'm really starting to lose my patients over this nonsense!

Re:No shit Sherlock

[cstacy]

How is this even news? How can you be in any way shape or form involved in the medical industry and not know how HIPAA works?

It's news because (a) it's so blatant, and if it happened this once, it isn't the first or last time, so it helps the public be aware that it can happen (b) if you're on the receiving end of this news, because you're just J.R.Public ,it helps educate you about what HIPPA really says, and alerts you to the risk and (c) it is useful to see that HIPPA is sometimes enforced, and how that goes.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Narcocide]

Basically they have numerous monetary and logistical incentives to play dumb about the law so they can sell our data in bulk to Google. As someone who has worked making software for these jackasses, I'm not any sort of freshly outraged by this. It has been going on for years, blatantly, and out in the open. But it's still not common knowledge amongst the public, apparently.

Re:

[Narcocide]

(And I'm pretty sure whoever modded this down is someone who owes me money.)

Re:

[sg_oneill]

Its useful even if just to let people know how HIPPA *actually* works. (Ie its very specific about who can do what and what they can do).

Oh and fun fact: On friday night when your doctor is having beer with his friends, he is totally violating your HIPPA privacy and telling them about that ridiculous attempt at trying to cite HIPPA as an excuse not to wear a mask in his surgery. And your lawyer is probably violating his client confidentially laughing to his friends about your rebuffed request to sue over i

Re:

[Entrope]

Less telling us about how HIPPA works, more learning how to spell HIPAA, please.

Re: No shit Sherlock

[snapsnap]

HIPPPA didnâ(TM)t pass. Why learn about it?

Re: No shit Sherlock

[MysteriousPreacher]

Only if the patient is identifiable. If their identity can't be linked to it then you're good to tell Bob about that guy with the ketchup bottle up his hole.

Re: This is a news story for one reason only

[AvitarX]

At least from the summary, it only states it's legal and seems to have no opinion about the ethics.

Plenty of things are legal that are unethical.

Re:This is a news story for one reason only

[PPH]

In order to make it seem like your employer asking about your vaccine status is ok.

It is. And there's a subtle difference as far as HIPAA is concerned. Your health care provider cannot divulge your vaccination status [amazonaws.com]. But you can. As a condition of employment or the receipt of services.

Re:This is a news story for one reason only

[Tony Isaac]

Your health care provider CAN divulge your vaccination status...IF you consent. That's why, when you go to a doctor these days, the first thing you are asked to do is provide consent to share your protected health information with your insurance company and with other providers related to your care.

If you choose not to consent, your employer can still choose to fire you for failing to prove you are vaccinated.

Re:

[shilly]

There's not a *subtle* difference between "me" and "my doctor" -- it's pretty clear and obvious to me, anyway! I can tell anyone anything I want to about me, obviously; my doctor can't.

Re:

[Dragonslicer]

So what you're saying is an employer can make it a condition of your employment that you provide them with your entire medical history, not just vaccination status?

Legally, yes, unless your medical history includes information about your status in a protected class (such as religion or being a military veteran) and the employer makes hiring decisions based on that. If an employer tries it, though, they would probably lose a lot of employees, so it's not a particularly good idea, but being a bad idea doesn't necessarily make it illegal.

Re:

[memory_register]

Let me back up a bit: your employer wouldn't even care about this if they didn't manage your health insurance - which itself is the insane part. Why is it that we don't stop to ask why employers became the de facto source of health insurance? You don't get your auto, homeowners or life insurance through them, and we really shouldn't be getting our health insurance through them, either.

Give the tax credits that employers get to individuals, provide vouchers where needed, and do away with employer-tied heal

Re:

[Tony Isaac]

Employers, or especially schools, have been requiring proof of vaccinations for decades. I don't agree with COVID vaccine mandates, and I haven't been vaccinated, but I don't understand this sudden hostility towards this one vaccine...outside of conspiracy theories. But even with that, anti-vaxxers have been basing their positions on conspiracy theories for decades as well.

Re:

[cstacy]

Employers, or especially schools, have been requiring proof of vaccinations for decades. [...] I don't understand this sudden hostility towards this one vaccine...outside of conspiracy theories.

Reasons:

1. It's the first vaccine based on a new technology. And that technology involves
"genetic engineering", which can be a scary word.

Everyone alive right now is already familiar with previous vaccine technology.

2. There is more public mistrust of both Science and Medicine than there has been in generations.

3. There is a highly polarized political climate that is best characterized as tribal, and the above can be a focus point for that, (beyond general mistrust or other fears).

4. Whackos can reach every

Re:This is a news story for one reason only

[ArchieBunker]

1. It's the first vaccine based on a new technology. And that technology involves
"genetic engineering", which can be a scary word.

mRNA isn't even that new, they've been researching it for decades now. https://publichealth.jhu.edu/2... [jhu.edu]

Re:This is a news story for one reason only

[shilly]

And not all the vaccines are mRNA -- eg AZ

Re:

[cmseagle]

I say this as someone who received an mRNA vaccine as soon as I was able: The "they've been researching this for decades" argument isn't very compelling. Richard Branson has been researching rocketry for decades, too. I still wouldn't sign up to be on one of the Virgin Galactic orbital test flights.

The compelling argument for the safety of mRNA vaccines is that they've now undergone one of the largest trials in human history with an exceedingly low rate of negative outcome, and no proposed mechanism by w

Re:

[shilly]

The RWE is even more impressive than the trial data.

Re:

[Dragonslicer]

Everyone alive right now is already familiar with previous vaccine technology.

Yeah, I'm calling bullshit on this one. Plenty of people believe all sorts of complete crap about various vaccines.

Re:

[Tony Isaac]

This is NOT the first vaccine based on new technology. When the smallpox and polio vaccines were first developed, they too were based on new technologies. For that matter, every new vaccine is "new technology." While many anti-vaxxers talk about the genetic engineering aspects of SOME COVID vaccines (not all are genetically engineered), I think it's just an excuse. The real hostility seems to be political, as can be seen by the fact that as a group, Republicans are against COVID vaccines, while Democrats ha

Re:

[WaffleMonster]

This is NOT the first vaccine based on new technology. When the smallpox and polio vaccines were first developed, they too were based on new technologies.

In the year 2020 the new never before deployed at any meaningful scale platform was mRNA not any of the existing technologies that were all well known with a long history and well understood at that time.

While every vaccine has to be evaluated on merits rather than by technology for all anyone knew there could have been inherent risks from the approach that were not previously known in addition to risks from vaccine itself.

For example:
https://www.ncbi.nlm.nih.gov/p... [nih.gov]

While many anti-vaxxers talk about the genetic engineering aspects of SOME COVID vaccines (not all are genetically engineered), I think it's just an excuse. The real hostility seems to be political, as can be seen by the fact that as a group, Republicans are against COVID vaccines, while Democrats have embraced them.

I tend to agree that vaccination relate

Re:

[jsonn]

Before 2020, mRNA vaccines have been in clinical studies for a number of different infectious diseases and for quite a long time. Since those diseases are primarily found in the poorer parts of the world, it wasn't a strong research focus.

The given example of Myocarditis is a very weak argument for two reasons. First, the heart muscle inflammation is already a known side effect of the actual illness and unlike the real deal, the mRNA vaccination induces a sterile version that normally heals easily once the

Re:

[WaffleMonster]

Before 2020, mRNA vaccines have been in clinical studies for a number of different infectious diseases and for quite a long time. Since those diseases are primarily found in the poorer parts of the world, it wasn't a strong research focus.

First time mRNA was widely used was the covid vaccines. The fact its been studied for a long time or tried in limited circumstance is great and useful yet there is no equivalence to real world large scale deployment. The situation is very similar to how a platform passing QA and being proven in widespread production use are two very different things.

The given example of Myocarditis is a very weak argument for two reasons. First, the heart muscle inflammation is already a known side effect of the actual illness and unlike the real deal, the mRNA vaccination induces a sterile version that normally heals easily once the body has flushed the results of the mRNA

The heart does not repair itself. Once damaged it persists for life. Inflammation can subside yet any associated damage does not heal.

out. Second, it is trigger by a form of medical malpractice. The vaccine is supposed to be injected in the muscle tissue only, but for some reason, the original recommended procedure for the injection skipped the pull-back step to check for an accidental hit of a vein.

With old school analog

Re:

[rantrantrant]

Re: "...and I haven't been vaccinated..." -- This is getting to be like veganism. You know, vegans who won't shut up about it. I don't care what you eat or whether you've been vaccinated against X.

Re:This is a news story for one reason only

[quall]

What a great conspiracy theory you have. Why are you randomly bringing up vaccines like a disgruntled crazy person?

I hope the irony of your post isn't lost on you.

Re:

[ArchieBunker]

He probably lives in an at will employment state too. He is free to not take the vaccine and his employer is free to fire him for not taking it. Now that's irony.

Re:

[rantrantrant]

The wording clearly alludes to those who'd like to claim that asking people for their COVID-19 vaccination status, which is currently a legal requirement under some circumstances in some countries, is a violation of doctor-patient confidentiality laws. Do try to keep up.

Re:

[quall]

But it doesn't. That's why it's a crazy conspiracy theory that you are now peddling. Get it now?

Re:

[rantrantrant]

Are you saying that people aren't claiming that asking for vaccination status is a HIPAA violation? Reporting what others have claimed which has been reported in the news isn't a conspiracy theory. Do try to keep up.

Re:

[quall]

Where did I make such a claim??? A dentist posted PHI in a review and was fined. The OP said that this news story was specifically made so that anti-vaxxers can somehow use it to blur the lines of what a HIPPA violation is. The idea that this story was made for anti-vaxxers to use is itself a wild conspiracy theory. It's ironic because conspiracies usually come from anti-vaxxers, and here the OP is spinning one.

Get it now? I hope so because it's tiring to explain the same thing t-h-r-e-e different ways. Eve

Re:

[ArchieBunker]

So you’re saying you want stronger worker protection laws?

Re:

[memory_register]

Stronger worker privacy laws for sure.

Re:

[Anonymous Coward]

memory_register:

In order to make it seem like your employer asking about your vaccine status is ok.

It is ok. This story is complete unrelated, except in your ignorant, egotistic and fearful mind.

Re:

[mmdurrant]

If they can make me pee in a cup for insurance purposes, they can ask about my vaccinations for infectious disease for insurance purposes.

You suck at thinking.

The Specifics

[Steel_viper]

--In the post, he used the patient's full name:
This bit is PII (personally identifiable information). It's technically also PHI.

--and described, in detail, the specific dental problem he was in for: "excruciating pain" from the lower left quadrant, which resulted in a referral for a root canal.
This bit is PHI (protected health information)

So yeah. Double whammy.

Re: very Slow news day

[anonymouscoward52236]

You are complaining about slow news on April Fools day? Lol.

Re:

[bloodhawk]

April fools day was yesterday for me and a large part of the world.

A D A !!

[redelm]

Of course posting patient details is a serious ethical and HIPPA violation. Acting with prejudice towards the (potentially) diseased, even communicable (HIV) is a violation of the ADA ... not the computer language, the Americans with Disabilties Act.

Re:

[DamnOregonian]

Prejudice, yes.

However, current EEOC guidance says that a bona fide demand that someone be vaccinated, or show proof that they are not infected is perfectly fine.
Sauce. [eeoc.gov]

The ADA requires that any mandatory medical test of employees be “job related and consistent with business necessity.” Applying this standard to the current circumstances of the COVID-19 pandemic, employers may take screening steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others.

Re:

[Dragonslicer]

Acting with prejudice towards the (potentially) diseased, even communicable (HIV) is a violation of the ADA

For something like HIV, sure, because it isn't communicable to someone who's just working near you. Something like measles, though, is not a disability, and your employer can tell you to stay home.

Re:

[whoever57]

Your argument is that, if someone provides a vaccination card showing that they have been vaccinated, an employer cannot trust it, and must verify it with their healthcare provider, despite vaccination cards and other paper records being accepted for many, many purposes without further checks, for decades?

Is that right? Or are you not familiar with the concept of a vaccination card?

Re:Same old strawman that refuses to die.

[cstacy]

Your argument is that, if someone provides a vaccination card showing that they have been vaccinated, an employer cannot trust it, and must verify it with their healthcare provider, despite vaccination cards and other paper records being accepted for many, many purposes without further checks, for decades?

Is that right? Or are you not familiar with the concept of a vaccination card?

I'm not the OP and I don't know if that's exactly my argument, but something that is different from decades ago is that people are highly motivated, trivially capable, and are actually known to be, forging these vaccination cards.

I'm more than six decades old, and I've never seen or dealt with a vaccination card ever before. (And beyond all the usual vaccinations I've had, about 15 years ago I worked doing medical research at a hospital and had to get all kinds of extra vaccinations. There were no cards.)

How to handle proof of vaccination in this technical age is not a trivial problem. Privacy being a theme in that problem space.

Re:

[cmseagle]

How to handle proof of vaccination in this technical age is not a trivial problem.

I suppose we could debate what you mean by "trivial", but it's certainly a solved problem.

Vaccination provider issues patient with a QR code encoding patient's name, DOB, vaccine details, etc. signed by provider's private key. Vaccination provider publishes their public key through chosen distribution channel (or, more commonly, encodes it in a smartphone app including a QR scanner). Anyone can now scan the QR code, decode the information using the vaccination provider's public key, and be sure that the

Re:

[cstacy]

How to handle proof of vaccination in this technical age is not a trivial problem.

I suppose we could debate what you mean by "trivial", but it's certainly a solved problem.

Just because we can imagine some possible ways to do it, and your suggestions are only partial solutions and consider only technical aspects and ignore everything about the real world, does not mean something is a "solved problem". It is only solved in your limited imagination.

If it were "solved", it would be implemented, and it is not.''

Typical techie response I guess.
Solved in your basement.

Re:

[cmseagle]

Solved in your basement.

My mom's basement is pretty big, but not that big. It seems there are things you don't know that you don't know.

The solution I described has been implemented in the form of the EU Digital COVID Certificate [europa.eu]. It was used widely across Europe to prove vaccination status for travel, entering restaurants, etc.

Re:

[drinkypoo]

I'm more than six decades old, and I've never seen or dealt with a vaccination card ever before.

That's because your mommy or daddy dealt with your records for you [sharpschool.com] when you were a child and may or may not [marinhhs.org] have had a single vaccination card. Your information may also have been recorded [ca.gov] with a state vaccination registry.

How to handle proof of vaccination in this technical age is not a trivial problem. Privacy being a theme in that problem space.

It's not a big problem for corporations because they don't care whether you were vaccinated, they care about liability. It's illegal for you to fake your vaccination records, including your covid card, so if you present them a fake one then it's your fault and not theirs unless it's someh

Re:

[cstacy]

I'm more than six decades old, and I've never seen or dealt with a vaccination card ever before.

That's because.

>

You then show a bunch of forms from a radically different part of the country, from a different century, some 55 years later than what I'm talking about.You also presume that I was enrolled in a state school, and also that I don't have all my records from back then.

Did you know that some of the vaccinations were just given at home by your parents? That no official witnessed them?

Re:

[drinkypoo]

I neither know nor care what part of the country you came from. Suffice to say that mandatory vaccinations for students have been a thing in states which care about the health of their citizenry since before 1922 [ama-assn.org].

Re:

[whoever57]

(And beyond all the usual vaccinations I've had, about 15 years ago I worked doing medical research at a hospital and had to get all kinds of extra vaccinations. There were no cards.)

There were cards, you were just ignorant about them. You could probably go back to whoever gave you those vaccinations and get cards for them now.

Travel to some African countries requires proof of vaccinations. I was required to show proof of vaccinations when I got my green card (I think that they determined that I needed at l

Re:

[cstacy]

You could probably go back to whoever gave you those vaccinations and get cards for them now.

The records from my vaccinations in 2006 are probably still on file. It is possible they could print them out for me, but they were annual, so long expired. The point being that we didn't have "cards" and didn't need "cards". We're talking about cards here, and having to have them to walk around and do ordinary things. Not whether medical records existed a few years ago.

Records of vaccinations in 1963? I think there might actually be some (perhaps irretrievable now) for some of them. But not all of them. B

Re:

[whoever57]

But not all of them. But again, the point is: in America, we haven't had to show papers -- much less vaccination papers -- just to do normal thingsm like work or going to a restaurant, ever before.

What employer will hire someone who can't show a social security card? Can you buy alcohol without showing ID? Can you fly without ID? Are these not normal things?

Schools have required proof of vaccination for decades. Such laws go back to the early 20th century.

Re:

[cstacy]

Writers and journalists should know better

It's a little late for Should-Haves. Marge.

Re:

[Nkwe]

Your health provider can provide your private health information to any party if you give consent for them to do so. If you want to work at your job or go that concert and you need proof of vaccination to do so, you are going to be giving consent to your heath care provider to provide that confirmation. (Your consent is given by opening up the app on your phone and displaying the QR code.) You can also chose not to give the consent, and your health care provider won't confirm you status (leak your medical i

Re:Same old strawman that refuses to die.

[shilly]

All those words and you fail to understand that a patient can authorise their healthcare provider to disclose information about them to whomever the patient bloody well chooses to including but not limited to newspapers, employers, the government or their great aunt Maisie.

Re:

[rantrantrant]

By providing proof of vaccination to a service provider you're also giving permission for them to verify your identity & vaccination status. I'm not a lawyer but isn't this also how ID cards, driving licences, passports, etc. work, i.e. verify your identity & some kind of official record about you?

Re:

[bill_mcgonigle]

Interesting point. You changed my mind to a degree.

Re:

[SvnLyrBrto]

Never mind the technicalities of exactly how HIPAA works. The point is that medical privacy and doctor/patient confidentiality exist for reasons... very important reasons... and we discard those protections at our own peril, and put others in peril when we do so. "Oh, but what's so perilous about your COVID vax?" you might ask. Well, nothing really; but that's shortsighted. It's not about COVID. It's about what comes after.

Consider Truvada. More commonly known as PrEP (Pre-Exposure Prophylaxis), Truva

Review sites suck

[Petersko]

The review ecosystem has become pretty useless. It hadn't so much shone a light on businesses delivering shoddy service as it has demonstrated what petty, pinheaded pissants the consumers often become when given a platform. There's no way of knowing from a review if the restaurant's gumbo is actually bad, or the reviewer asked the waitress for a date and she declined.

Fined?

[cloud.pt]

This shouldn't be a fine, it should be compensation to the patient who got their health information leaked

The real lesson here...

[Harvey Manfrenjenson]

...is that you have to be skeptical when reading online reviews of doctors. You should read them, I guess (I always do), but you have to remember that the doctor isn't allowed to give his/her side of the story.

Here's an extreme example: I met a new patient a while back, who came in to my office requesting high doses of multiple controlled substances. A check of the pharmacy records showed me that they were getting multiple prescriptions from multiple doctors already. When I refused to give them the medic

So does this mean

[Eulf]

It's okay for a patient to commit libel against a doctor and the doctor has no recourse?

Re:

[znrt]

no, how did you come to that conclusion?

there is the same recourse as for any such offence: suing and hopefully getting it taken down and possibly a reparation. this is what any normally smart person would do if even bothered, but not the doctor in the story who went full online psycho.

if you can't sue for libel then it's probably because it isn't libel, and unfavorable opinions are just part of the game and need to be allowed. it sucks that the doctor can't even challenge the opinion publicly online but th