Wikipedia:Reference desk/Archives/Miscellaneous/2021 July 7

= July 7 =

Definition of an "Individual" in HIPAA/HITECH
I've read a lot of stuff on HIPAA/HITECH about PHI. They continually use the word "individual" when I would personally use the word "patient." So, where is the word "individual" defined? Depending on the definition, the name of the mail delivery person who dropped off a package at a hospital is protected health information because that person is an "individual." If it is limited to patients, where does it say so? 97.82.165.112 (talk) 17:13, 7 July 2021 (UTC)


 * Courtesy links: Health Information Technology for Economic and Clinical Health Act, Health Insurance Portability and Accountability Act, Protected health information. Matt Deres (talk) 18:13, 7 July 2021 (UTC)
 * Could you provide an example? Is it possibly tied to the legal concept of corporate personhood?
 * Looking over several sites about HIPAA and such, their use of "individual" seems quite normal to me. For example, "Individual’s Right under HIPAA to Access their Health Information exit disclaimer icon". I am not currently a patient anywhere, but I still have the right to access my health information. Thus, "individual" is more appropriate than "patient". I would expect that the texts that you are seeing are of this type and that context makes it clear that the "individual" in question is the person whose records are being requested and not just any random "individual" person. --Khajidha (talk) 18:27, 7 July 2021 (UTC)
 * An example? How about Wikipedia's protected health information page. Check the first sentence. It uses "individual" without an explanation. It then claims that it is interpreted "rather broadly." If it stated "an individual who received health care from the organization," it would be clear. But it states "an individual." So, if an employee at a hospital in California posted on Facebook that Trump looks fat, that is a PHI violation. Trump is an individual. Obesity is a health issue. The hospital is a HIPAA covered entity. But, that makes no sense because that is not a release of health information about a person being treated in some way by that hospital system. I know it is pedantic, but this is all based on law and laws are pedantic. Somewhere, in some form, there must be a legal statement that defines the limitation of what an "individual" is. Another real-world example that I found: A health organization has a policy that no doctor's names can be released in any form. They can't include them in interviews. They can't place them on the office directory. They don't even put doctor's names on ID badges. Why? PHI includes names. Doctor's names are names and doctor's names appear in health records. So, doctor's names are PHI. That organization is currently working with lawyers to decide if the names of the clinics where patients are treated are also PHI. If so, they must remove the names from all buildings. 97.82.165.112 (talk) 11:29, 8 July 2021 (UTC)
 * Yes, and it goes on to say that it "includes any part of a patient's medical record or payment history". To mangle that into what you are asking about requires the questioner to be either a complete idiot or an utter troll. You answered your own objection with "that makes no sense because that is not a release of health information about a person being treated in some way by that hospital system". --Khajidha (talk) 13:12, 8 July 2021 (UTC)
 * Trying to justify what we both agree is idiocy... The name of a doctor who treated a patient is part of a patient's medical record, so releasing the name of a doctor is PHI. I can find nothing at all that indicates that the information released must be associated with a patient, or in the Trump example, that the information must be associated with a patient record at that health care organization. I understand that the entire point is that we don't want to identify which patient's information is being released, but the actual text is written such that ANY information released that might be part of any patient's medical record is PHI. I'm trying to find the actual text that defines the limitation because lawyers are risk averse. If there is nothing written in stone stating that you can in fact release the name of a doctor, then they read the law as broadly as possible and consider all doctor's names to be PHI and unreleasable. I am a bit surprised that it is so difficult to find. Most people say it is just common sense, but those who want to be risk averse use the vagueness of the exact written word to justify idiotic decisions. 97.82.165.112 (talk) 14:52, 8 July 2021 (UTC)
 * Did you try searching for the actual regulations? I found this: "Individual means the person who is the subject of protected health information" in the PDF available here. A doctor's name, by itself, is not part of any protected health information. --Khajidha (talk) 15:11, 8 July 2021 (UTC)
 * Who is the "individual"? It is the "person who is the subject of PHI". Who is the "subject of PHI"? It is the "individual." Yes. That is crystal clear. Also, that document states that "names" are PHI. It doesn't state that patient names are PHI. It states that names are PHI. 97.82.165.112 (talk) 16:30, 8 July 2021 (UTC)
 * Yes, the individual is the person who is the subject of PHI. The subject of any health information is the (former) patient. This is basic English. I don't know if you are an idiot or a troll, but we are done here. --Khajidha (talk) 18:15, 8 July 2021 (UTC)
 * Where does it state that the subject/individual is a PATIENT? That is what I've asked for from the beginning. The text is written so it can be read in an idiotic way. It doesn't clearly state anywhere that hte subject/individual is a patient or was a patient or received treatment or anything. We assume it is a patient, but the text doesn't make that clear. 97.82.165.112 (talk) 18:36, 8 July 2021 (UTC)
 * If health information is available about an individual, then that information will have been provided (directly or indirectly) by a medical professional, colloquially called a "doctor", who has examined the individual. An individual who is seeing a doctor is colloquially called a "patient", even if they are perfectly healthy and will not receive treatment for any ailment. So the presence in the system of health information on a particular individual implies, in a colloquial sense, a patienthood status. Additionally, health information entered into the system will normally cover health conditions and diagnoses, because that is the type of information an insurer receives; you don't send them a message that all is well. --Lambiam 09:38, 9 July 2021 (UTC)