Did I just kill any chance I had at any school with one sentence?

Med School Insiders
This forum made possible through the generous support of SDN members, donors, and sponsors. Thank you.
OCDOCDOCD

OCDOCDOCD

Full Member
10+ Year Member
Joined
May 26, 2012
Messages
1,605
Reaction score
127
Members do not see this ad.
So I was just thinking about my PS when it occurred to me that I talked about a patient with MS (also said which form of MS it was) and also mentioned their sex and general age (eg: "she was in her 40s"). Although in the PS I don't say anything about the physician or clinic other than that it was a neurology clinic, it would be pretty obvious from my W&A section where I saw this patient at and with whom. It didn't even occur to me that that could be a HIPAA violation until just now, and of course that possibility only came after I already submitted my app. All I let slip was general age, sex, and diagnosis. Never gave a name (just referred to as "patient"), exact age, date of visit, race, or anything else. So, is that enough to qualify as a HIPAA violation?

Hopefully I'm just being neurotic, but if not I guess I should be thankful that I only put down one school thus far :scared:

Also, before anyone says it, yes I searched the forums since I knew similar topics have been asked in the past, but all the ones I found were asking about naming patients in the PS which isn't very relevant to my issue.
 
OCDOCDOCD said:
So I was just thinking about my PS when it occurred to me that I talked about a patient with MS (also said which form of MS it was) and also mentioned their sex and general age (eg: "she was in her 40s"). Although in the PS I don't say anything about the physician or clinic other than that it was a neurology clinic, it would be pretty obvious from my W&A section where I saw this patient at and with whom. It didn't even occur to me that that could be a HIPAA violation until just now, and of course that possibility only came after I already submitted my app. All I let slip was general age, sex, and diagnosis. Never gave a name (just referred to as "patient"), exact age, date of visit, race, or anything else. So, is that enough to qualify as a HIPAA violation?

Hopefully I'm just being neurotic, but if not I guess I should be thankful that I only put down one school thus far :scared:

Also, before anyone says it, yes I searched the forums since I knew similar topics have been asked in the past, but all the ones I found were asking about naming patients in the PS which isn't very relevant to my issue.
Click to expand...

Yeah you're fine. You have to be a lot more specific than that to violate HIPAA. If you were like "A woman in her 40's who stars in 30 Rock" that would be bad. But you only gave one minor detail. AdComs won't think anything of it.
 
It's not a HIPAA violation unless you mention their full name. You should be fine.
 
Last edited:
you're fine. there's nothing identifiable about the patient unless she's literally the only person with MS at your volunteer site.
 
i'm fairly sure you're just being neurotic. most cases of MS are female anyways...
 
mttamgirl said:
It's not a HIPPA violation unless you mention their full name. You should be fine.
Click to expand...

As mentioned above, this is not true.... you are prohibited from giving the date of the visit (It was Christmas Eve) the address of the home (when I made a hospice visit to 1010 Park Avenue) and a number of other "personal health information (PHI), but, for a disease ike MS, stating that you saw a woman in her 40s is not specific enough to identify a specific patient.

I don't know if this is specifically on the the list of PHI that can't be disclosed but the worst I ever heard was in a hospital presentation when we were permitted to talk about the patient (it was considered business operations) but we would try to keep name, etc on a "need to know" basis rather than disclosing to all 60 people in the room. The faculty member asked the trainee making the presntation , "what is the patient's occupation" and rather than saying "lawyer" or "elected official" or "Judge" or "business executive" or something like that the resident gave the woman's job title. She was the only person (or maybe the only woman) with that job title and we were all reminded that the information shared at the meeting was not to leave the room. With any luck that hapless resident is now a facutly member with an appointment to the adcom and will be sympathetic to your (very minor) screw up.
 
So everyone seems to agree that just listing sex, age, and disease isn't anything to worry about. That's a relief. Pretty reassuring to hear it from LizzyM too 😍
 
Is it alright to use a fake name and be specific about what happened to them? For example say I make up the name John to describe a man who came in and got 3 lacerations sutured and describe it in detail, is that alright?
 
LostinLift said:
Is it alright to use a fake name and be specific about what happened to them? For example say I make up the name John to describe a man who came in and got 3 lacerations sutured and describe it in detail, is that alright?
Click to expand...

depending on how hard up you are to save characters you can say, "A man I'll call Jon" or "Jon (pseudonym)." Also, to save characters it is great to have a bunch of 3 letter names to draw from: Jon, Jim, Tom, Tim, Ida, Amy, Kim, Sue.

I all likelihood, describing a man's injuries in detail would not be a HIPAA violation but it might be TMI for a PS. If it is brief, then it is ok. "A man I'll call Jon needed to be stabilized and rushed to the OR for injuries from a firecracker went off in his hand." That's enough about the patient and the rest might be how the physician and/or other team members handled the injured man, what you learned or what inspiration you drew from this and how this will influence your practice. In fact, you really don't need the guy's name and you could just call him "a young guy".
 
What about saying something like "my mother had MS"
Isn't that identifying someone? or does it not matter because you weren't one of her healthcare providers?

Should I mention I go through patient medical charts and talk about what I learned from that experience?
 
mttamgirl said:
It's not a HIPPA violation unless you mention their full name. You should be fine.
Click to expand...

The quickest way to tell someone doesn't know a thing about HIPAA is that they call it "HIPPA."
 
chillaxbro said:
What about saying something like "my mother had MS"
Isn't that identifying someone? or does it not matter because you weren't one of her healthcare providers?

Should I mention I go through patient medical charts and talk about what I learned from that experience?
Click to expand...

If you found out some way other than through a clinical interaction, it isn't covered by HIPAA. So if you read in the sports page of the newspaper, it isn't a HIPAA violation to repeat what was in the paper. However, if you disclose something about the patient that wasn't in the newspaper but that was in the medical record, you'd be in violation.
 
LizzyM said:
As mentioned above, this is not true.... you are prohibited from giving the date of the visit (It was Christmas Eve) the address of the home (when I made a hospice visit to 1010 Park Avenue) and a number of other "personal health information (PHI), but, for a disease ike MS, stating that you saw a woman in her 40s is not specific enough to identify a specific patient.

I don't know if this is specifically on the the list of PHI that can't be disclosed but the worst I ever heard was in a hospital presentation when we were permitted to talk about the patient (it was considered business operations) but we would try to keep name, etc on a "need to know" basis rather than disclosing to all 60 people in the room. The faculty member asked the trainee making the presntation , "what is the patient's occupation" and rather than saying "lawyer" or "elected official" or "Judge" or "business executive" or something like that the resident gave the woman's job title. She was the only person (or maybe the only woman) with that job title and we were all reminded that the information shared at the meeting was not to leave the room. With any luck that hapless resident is now a facutly member with an appointment to the adcom and will be sympathetic to your (very minor) screw up.
Click to expand...

Perhaps this falls under the "business operations" umbrella but I work for a consulting company where we get very detailed surgical and transfer data per patient (date of visit plus lots of other yummy stuff). Hospitals are incredibly neurotic about remaining compliant with HIPAA but just adding a modifier to their patient number is enough for them. Not saying the esteemed LizzyM is wrong just that the rules seem to be specific to various circumstances.
 
What if I mentioned the patient's first name in my PS then proceeded to list the person's condition (which everyone at this particular facility has)? In my EC's list it shows where this person is..
 
alerk323 said:
Perhaps this falls under the "business operations" umbrella but I work for a consulting company where we get very detailed surgical and transfer data per patient (date of visit plus lots of other yummy stuff). Hospitals are incredibly neurotic about remaining compliant with HIPAA but just adding a modifier to their patient number is enough for them. Not saying the esteemed LizzyM is wrong just that the rules seem to be specific to various circumstances.
Click to expand...

Yes, hospitals are permitted to share PHI with "business associates". They have to tell the patient that they are doing this and the patient must authorize the release of information and be given information about how to withdraw authorization. On the other hand, withdrawing consent could mean that PHI necessary to approve payment of the hospital bill could not be sent to the insurance company and that would be a problem for the patient so almost all sign the authorization form and don't withdraw.
 
csx said:
What if I mentioned the patient's first name in my PS then proceeded to list the person's condition (which everyone at this particular facility has)? In my EC's list it shows where this person is..
Click to expand...

You might be ok but it might be best to use a pseudonym. Many years ago a fellow adcom member read an application from someone who had done volunteer work at an agency where her son had received services and the name of the organization was in the experience section. To her surprise, the PS spoke specifically of a child named [first name]. It was her son who had died suddenly just weeks before! Her son has been an inspiration to the applicant and contributed to his motivation to pursue a career in medicine but she handed the application back to the file clerk and had someone else review it.
 
What about giving age and first name of the patient, and saying he had cancer?
 
lgdevirg said:
What about giving age and first name of the patient, and saying he had cancer?
Click to expand...

Not sure how giving the exact age or exact name (while using the broad term "cancer" to describe his medical condition) helps your PS at all. Why not ere on the side of caution and just give an approximate age and a pseudonym?
 
LizzyM said:
Yes, hospitals are permitted to share PHI with "business associates". They have to tell the patient that they are doing this and the patient must authorize the release of information and be given information about how to withdraw authorization. On the other hand, withdrawing consent could mean that PHI necessary to approve payment of the hospital bill could not be sent to the insurance company and that would be a problem for the patient so almost all sign the authorization form and don't withdraw.
Click to expand...

Interesting, is this part of the standard forms patients get when they go to the hospital? We have the records of thousands of patients, I can't imagine they all get separate informed consent forms before getting surgery.
 
OCDOCDOCD said:
So I was just thinking about my PS when it occurred to me that I talked about a patient with MS (also said which form of MS it was) and also mentioned their sex and general age (eg: "she was in her 40s"). Although in the PS I don't say anything about the physician or clinic other than that it was a neurology clinic, it would be pretty obvious from my W&A section where I saw this patient at and with whom. It didn't even occur to me that that could be a HIPAA violation until just now, and of course that possibility only came after I already submitted my app. All I let slip was general age, sex, and diagnosis. Never gave a name (just referred to as "patient"), exact age, date of visit, race, or anything else. So, is that enough to qualify as a HIPAA violation?

Hopefully I'm just being neurotic, but if not I guess I should be thankful that I only put down one school thus far :scared:

Also, before anyone says it, yes I searched the forums since I knew similar topics have been asked in the past, but all the ones I found were asking about naming patients in the PS which isn't very relevant to my issue.
Click to expand...

Relax buddy, this isn't a HIPAA violation.
 
This thread has got me paranoid. I used an anecdote where I called the patient "young", said gender, described mechanism of injury and name dropped a physician involved. Someone tell me I'm safe...
 
I Love Cats said:
This thread has got me paranoid. I used an anecdote where I called the patient "young", said gender, described mechanism of injury and name dropped a physician involved. Someone tell me I'm safe...
Click to expand...

lol you should check out the other thread about name-dropping. i think you are perfectly fine. i think those are very vague details about the patient.
 
Hmm, I didn't know of how erroneous it might be to name drop or describe the condition of a patient, especially with regards to privacy. Take this scenario, I wrote extensively in my PS about a patient (including name) who I worked with in screening and rehabilitation for a particular condition (which I also identified). However, this was during the time that I spent overseas in a foreign clinic. Since this experience was not in the US, it doesn't constitute a HIPAA Privacy violation, does it?

I already submitted my PS, so there's not much I can do now to fix that. :/
 
Geebeejay said:
Don't be that guy...
Click to expand...

Except it's, you know, true. Pretty much every time I see someone state some nonsense about HIPAA (like arguing against the fact that you have to bill electronically for HIPAA to apply), they spell it "HIPPA."
 
LizzyM said:
Yes, hospitals are permitted to share PHI with "business associates". They have to tell the patient that they are doing this and the patient must authorize the release of information and be given information about how to withdraw authorization. On the other hand, withdrawing consent could mean that PHI necessary to approve payment of the hospital bill could not be sent to the insurance company and that would be a problem for the patient so almost all sign the authorization form and don't withdraw.
Click to expand...

I'm going to have to disagree with this. "treatment, billing, and healthcare operations" are "permitted uses" of "protected health information," and no consent is needed to share that information. There's no need to gain permission to send information to the patient's insurance anymore than there is to gain permission to share information with the QA/QI people, or for when officially consulting with another medical service.

"Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:
...
(2) Treatment, Payment, and Health Care Operations;
(2) Treatment, Payment, Health Care Operations. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.19 A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship. See additional guidance on Treatment, Payment, & Health Care Operations.

Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.20

Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual21 and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.22

Emphasis added

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
 
OCDOCDOCD said:
So I was just thinking about my PS when it occurred to me that I talked about a patient with MS (also said which form of MS it was) and also mentioned their sex and general age (eg: "she was in her 40s"). Although in the PS I don't say anything about the physician or clinic other than that it was a neurology clinic, it would be pretty obvious from my W&A section where I saw this patient at and with whom. It didn't even occur to me that that could be a HIPAA violation until just now, and of course that possibility only came after I already submitted my app. All I let slip was general age, sex, and diagnosis. Never gave a name (just referred to as "patient"), exact age, date of visit, race, or anything else. So, is that enough to qualify as a HIPAA violation?

Hopefully I'm just being neurotic, but if not I guess I should be thankful that I only put down one school thus far :scared:

Also, before anyone says it, yes I searched the forums since I knew similar topics have been asked in the past, but all the ones I found were asking about naming patients in the PS which isn't very relevant to my issue.
Click to expand...

More government! More regulations! That's the answer to everything!
 
Siggy said:
I'm going to have to disagree with this. "treatment, billing, and healthcare operations" are "permitted uses" of "protected health information," and no consent is needed to share that information. There's no need to gain permission to send information to the patient's insurance anymore than there is to gain permission to share information with the QA/QI people, or for when officially consulting with another medical service.

"Permitted Uses and Disclosures. A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
...
(2) Treatment, Payment, and Health Care Operations;
(2) Treatment, Payment, Health Care Operations. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.19 A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship. See additional guidance on Treatment, Payment, & Health Care Operations.

Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another.20

Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual21 and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.22

Emphasis added

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
Click to expand...

Thank you for educating me. In practice, every health care facility I've been a patient for the past 10 years or more has had me signed something or provided me with informaiton about how my data would be used. 😕

Research is my baliwick and there we do have to have authorization to use PHI.
 
LizzyM said:
Thank you for educating me. In practice, every health care facility I've been a patient for the past 10 years or more has had me signed something or provided me with informaiton about how my data would be used. 😕

Research is my baliwick and there we do have to have authorization to use PHI.
Click to expand...

Ah, ok. Notice of privacy practices has to be given (hence the signing), including things like a point of contact for questions. That's going to be different than gaining permission for permitted uses. Looking under the notice section of that link, patients can request that information not be shared, but the provider isn't under an obligation to do so for permitted uses (it would be silly for a patient to not pay and then refuse billing of insurance under privacy grounds).
 
You must log in or register to reply here.

Similar threads

goodbob
Is it worth reapplying by any chance?
Replies
5
Views
1K
goodbob
goodbob
T
I could attend free at any University of California...Would I have a chance?
Replies
12
Views
1K
HuskyMD Emeritus
H
Anthodite
Any disabled premed groups?
Replies
1
Views
556
Mr.Smile12
Mr.Smile12
knick_king
  • Question Question
Haven't received any secondaries
Replies
4
Views
1K
AJS59
AJS59
A
Any helpful Coursera Certificates?
Replies
4
Views
668
AJS59
AJS59
Top