21 November 2008


An article with some CT images was published earlier today.   Unfortunately, not all patient identifying information was removed from the images.   Thanks to an alert reader who notified me of this error.

The post has been taken down and will not be republished.  I regret the error.


  1. fyi--it's still up on your medpage blog...

  2. Why not just blur the id info? That was a very educational (and important) post.

  3. I can still see it in google reader.

  4. Isn't it a HIPAA to post the whole story and the scans even without names?

  5. sorry - should have previewed - I meant HIPAA violation.

  6. Anon 1:23,
    I know it's still up at MedPage. I asked them to delete it also, but I guess they're gone for the weekend.

    Yeah, I could redact and repost it, but given that it was a serious error, I'll go the extra mile to show good faith. Maybe I'll revisit the topic in the future.

    Anon 11:52,
    No, it's only a violation if protected patient-identifying information is disclosed. Scalpel had a decent primer on the topic a while ago. Also, this story, like every one I post, is highly fictionalized to protect patient privacy. The incident patient would not recognize themself. Well, if I hadn't left the name on one of the images.


  7. So it would only be a maximum $50,000 fine and one year imprisonment if you hadn't posted it to Medscape (who pays you to blog about interesting stuff).

    Per Section 1177(b)(3) since you used individually identifiable health information for commercial advantage, personal gain, or malicious harm, that means you could be fined not more than $250,000, imprisoned not more than 10 years, or both.


    That's one of the reasons I don't have advertisements on my blog.

  8. Way to cheer a dude up, Scalpel!

  9. Hi ShadowFax,

    As your friendly neighborhood privacy fanatic who is not a health care professional, I notice and appreciate that you're showing caution now.

    We can only make our choices now, yes? So now you take action to meet both the spirit and the letter of the deal between docs & patients. Thank you.

  10. Given the first offense and the apology and all, he's probably only looking at a couple of years and 100K fine max.

    That should cheer him up! Hehehe.

  11. I'll bring you a cake with a file in it, and you can crash on my couch if you're a fugitive from justice, Doc.

  12. This whole blog is one big ole HIPPA violation. The identity of several of your patients has been obvious from news stories about them and your identity took me 2 google searches to find. I cannot believe the risk management at your hospital lets you get away with this BS.

  13. You say Scalpel had a decent primer on the topic

    If it is known that a physician, nurse, or other healthcare worker practices at a certain facility, for example, then the second requirement seems to be violated.

    You don't quite make the grade according to Scalpel's criteria. Its was obvious from one of your posts about a patient exactly what hospital in what metropolitan area you practice at. You mentioned a case that would obviously have been mentioned in the papers. I did a quick google because I couldn't believe someone would be so reckless as to mention it. Then when I found the article I google again to find the name of the group that covers the ER and one of the docs matches the bio and profile for shadowfax practically word for word.

  14. Anon (Anons?),

    You need to let it go. You're not the first person to deduce my identity, and indeed, I've been cited by name in national publications. The name stays off the blog, but it's hardly a secret.

    And don't make too many assumptions about the veracity of my posts. I fictionalize, liberally. I omit many facts, alter others, invent some -- all to obscure the patient ID as well as to make a point or to make a better story. Further, some of these posts are patients I did not even see -- they are second-or-third hand tales of the ER. They're good stories nonetheless, and whether they are exactly true or not, they give a good view into my world, which is what I am trying to communicate. So don't get to wrapped up in the HIPAA stuff -- half if what you read on this blog is bullshit. Trust me, I know the author, and you can't believe a word he says.

    Anyway, I have had half a dozen lawyers/compliance officers review this blog, and they all agree that I am on the right side of the law to this point. So I got that going for me, which is nice.

    I know your heart's in the right place, though, and thanks for keeping me honest.


Note: Only a member of this blog may post a comment.