How Is the Proposed Oklahoma Law to Publicly Post Details of Abortions Online Not a HIPAA Violation?

Because nothing says freedom like government shaming regarding a private healthcare decision:

Move over, Hester Prynne:

On Nov. 1, a law in Oklahoma will go into effect that will collect personal details about every single abortion performed in the state and post them on a public website. Implementing the measure will "cost $281,285 the first year and $256,285 each subsequent year." Here are the first eight questions that women will have to reveal:

  1. Date of abortion
  1. County in which abortion performed
  1. Age of mother
  1. Marital status of mother
  1. Race of mother
  1. Years of education of mother
  1. State or foreign country of residence of mother
  1. Total number of previous pregnancies of the mother

Oklahoma's Department of Health argues that there is "no cause for concern or protest in regards to privacy issues" because the whore woman isn't required to give her name, but quite obviously it wouldn't be too hard to crack the code for those living in small communities.

The Department of Health will also need to know:

... the method of payment; the cost of the abortion; the type of medical health insurance; whether an ultrasound was given; and the nature of the mother's relationship with the father.

Why don't we just tattoo a Scarlett "A" on their foreheads?

(h/t: digby)

More like this

The July 28 edition of the Lancet has a superb editorial about the need for legal and safe abortion in the developing world, particularly in Latin America (I've snipped parts; italics mine): ...Irrespective of an individual's viewpoint, the debate over abortion in Latin America cannot be ignored.…
In a debate on the floor of the Georgia State house over a bill to force women to bring all pregnancies after 20 weeks to term, even in cases of dead or non-viable fetus, this Georgia representative reaches a new low. State Rep Terry England seems to be suggesting pigs and cows do it, why can't…
Movement conservative Grover Norquist is famous (or infamous) for his slogan, "Our goal is to shrink government to the size where we can drown it in a bathtub." (There are different versions of this saying). In response, some on the left will quip, when discussing the theopolitical right, that the…
We comply with the HONcode standard for trustworthy healthinformation:verify here. Regular readers may note that I have been diddling with the content of my left sidebar and posting a new disclaimer tab to indicate the accuracy and objectivity of the health information presented herein. I…

"Here are the first eight questions that women will have to reveal"

So they are expecting the women who have had abortions to provide this information? I think this calls for a little creativity on the part of the women involved.

The people who promulgated this law are no better than the asshats who publish the personal details of abortion providers or animal researchers online "just so people can contact them and tell them how they feel".


Why is this law limited to abortion? Shouldn't it include all medical procedures?

Testicular cancer - how many testicles removed?

Breast cancer - full or partial mastectomy?

Vasectomy - wife's approval?

This is all bullshit and the law's authors ought to be publicly shamed. I hope the first one gets a HIPPA review and then is buried in a lawsuit that costs this ass-wipe state ten times the projected website cost.

MikeMa, punish the legislators not the people of Oklahoma.

Ive been baffled over this as well.

When we get blood from the blood bank, *we*, as in, the lab getting/using the blood, can only know the donors gender and blood type.

Just blood.

Just us.

Sometimes we get HIV+ blood, from people who didnt know they were (+) when they donated. We know their gender and blood type. Thats it.

Could you imagine if every time we got a bag of (+) blood, we published age/gender/race/education/county-state-country residence/etc online for anyone to read???


'Name' isnt the only way to identify someone.

I would be *easily* recognizable from that information if I needed an abortion. Then you get a church group to *innocently* broadcast my name by getting everyone to 'pray for me'... Oh trust me, Ill be suing if I need an abortion while Im here.

I agree that this is about as mean spirited as legislation can get. But a HIPAA violation? Not likely.

By bob koepp (not verified) on 14 Oct 2009 #permalink

We recently we unable to sequence the genome of a bacterium that came from a clinical infection. Had we done the sequencing, we would have had to deposit the genome sequence at NCBI, and we were informed that would be a hipaa violation.

Somehow that's a hipaa violation but publishing all this info about people who receiving abortions is just fine and dandy.

Colin @3
The people of OK elected these assholes and desrve to suffer the consequences of their stupidity. Elect better representatives!

You guys do realize that the people proposing this bizarre violation of privacy and insult to logical minds are fundies who think humanity belongs back in the 11th century and who get their ideas about what they think is right from the fucking PAST.

By Katharine (not verified) on 14 Oct 2009 #permalink

bob koepp

But a HIPAA violation? Not likely.

What happens the first time a woman is outed based on this travesty. The intent of HIPPA is to protect medical information. If the implementation allows easy violation, isn't that actionable? IANAL, just looking for some hope.

MikeMA - Intent doesn't count. What does count is the letter of the law. I'm not an expert in interpreting HIPAA regs, but there's nothing in the above list of "items of information" that would be an obvious violation.

Rather than worry about HIPAA, I think that Oklahoman legislators should be pressed to explain what legitimate governmental purpose is served by this law. Last time I checked, trying to frighten citizens so they will be less likely to exercise their legal rights is not a legitmate purpose of the law.

By bob koepp (not verified) on 14 Oct 2009 #permalink

Intent doesn't count. What does count is the letter of the law. I'm not an expert in interpreting HIPAA regs, but there's nothing in the above list of "items of information" that would be an obvious violation.

Based on the HIPAA training we received, it's a violation if the information can be linked to a specific individual. The most often used example is that you can't include an age/birthday for individuals over 90 years old, because there aren't enough of them in the country and it makes it possible to connect the record with the individual even without a name.

Perhaps, purely for balance, all the details of the sex lives of the Oklahoma legislators should be published regularly?

After all, as good Christians they won't be embarassed by their answers to just the first eight of these questions:

1. Date of sexual act/thought. Include impure ones.

2. County in which the above occurred & county of other person(s) involved.

3. Age & sex of all persons involved. If any are below the age of consent that should be in boldface.

4. Marital status of all involved. Of course, no legislator in Oklahoma would ever have sex before or out of marriage but the completeness sake this should be answered.

5. Race(s) of all involved. Even if this means peeking under their hoods.

6. Years of sexual activity of all involved.

7. State or foreign residence of all involved.

8. Complete history of all sexual partners of the legistator.

Nothing embarassing for them I'm sure.

Kierra - Right, the issue is whether the information in question is sufficient to permit identification of a particular individual. I doubt that solely on the basis of the information referenced in the "eight questions," one could identify an individual who obtained an abortion in Oklahoma.

And... while I understand the point behind the example you cite, I defy anybody to explain how they know the identity of the 92 year old about whom I am thinking. I'll even offer some useful hints: he's male, he's a naturalized citizen who emigrated to the US at the end of WWII, and he currently resides in a sunbelt state.

By bob koepp (not verified) on 14 Oct 2009 #permalink

I doubt that solely on the basis of the information referenced in the "eight questions," one could identify an individual who obtained an abortion in Oklahoma.

You, sir, have obviously never spent a significant amount of time living in a small town. Most people won't go to the effort to identify the individual, but there are always a few busybodies who will.

Consider the following: 1. Abortion providers are rather thin on the ground in much of the country generally, and in Oklahoma in particular. 2. "Pro-life" zealots are known to monitor comings and goings at facilities that provide abortions, and they use video cameras.

Conclusion: There are likely to be several instances in which exactly one abortion occurs in any given Oklahoma county on a given date. That means that it is possible for one of the aforementioned busybodies to associate that record with a particular person, just on the answers to the first two questions alone (and the next six questions could easily confirm that deduction). If "pro-life" zealots are videotaping comings and goings at that clinic on that day, they can see what non-employees visited and provide the woman's picture.

As I understand it (I'm a layman; somebody else can confirm), it is a HIPAA violation if enough information is released that *somebody* can deduce who the person is. To take Kierra's example: I don't personally know many nonagenarians, but somebody who does and sees that person's age and date of birth can reasonably deduce that the record concerns the person in question. The law requires disclosure of sufficient information that a local busybody can figure out who got the abortion, therefore it is a HIPAA violation.

By Eric Lund (not verified) on 14 Oct 2009 #permalink

This law will go to court near the end of the month. Two women (one a former state representative) as plaintiffs oppose the bill, not on privacy concerns, but on the Oklahoma constitutional requirement that all bills must deal with only one subject, which this bill apparently does not. Thus, such a tactic may be easier than trying to prove a questionable infringement of HIPPA. The plaintiffs are, of course, strongly pro-choice. They are being assisted by a national pro-choice organization.

Also by law, the Oklahoma Attorney General (Drew Edmondson, a Democrat who is a strong candidate for Governor) will have to defend the bill! Likely, one of his assistants will handle the court hearing.

And... while I understand the point behind the example you cite, I defy anybody to explain how they know the identity of the 92 year old about whom I am thinking. I'll even offer some useful hints: he's male, he's a naturalized citizen who emigrated to the US at the end of WWII, and he currently resides in a sunbelt state.

Given the actual date of birth, it should be pretty easy to get close. Given some older census numbers (2000):

1) There are about 1.2 million men over the age of 85 in the country.
2) There are about 1.8 million men aged 80-84, so you can see that the numbers trail off drastically as you get older. Let's be ridiculously generous and assume that 92 is as old as you'll ever get and you're equally likely to be any age in that range. That gives us 170,000 92 year old men.
3) Assuming you get a date of birth, that shrinks the pool by at least a factor of 300 (I have no idea how birth dates are distributed, so let's just use this number as a margin of error). We're down to 566.
4) Let's assume that 75% of those live in sun belt states (maybe 92 year olds like warm weather). We're at 424.
5) How many were immigrants and what was the range? Hard to get these numbers, but making a bunch of assumptions and assuming that "end of World War II" spans about 10 years, it looks like generously, 2.5 million out of 166 million people in the US entered during that time frame. Now we're down to about 6 people.

Without the birth date, this gets much hairier, but we're also talking about a very localized search in the case of this law. I have no trouble believing that it would be easy to pick out individuals, especially in reltiavely isolated communities with a low probability that outsiders would come in for the procedure.

It looks to me like there are only 3 cities in Oklahoma with over 100,000 people in them. In fact, almost half of the population lives in cities of less than 15,000. If you assume that ages 15-40 are reasonable age groups for abortions and ignore the slight variation in age groups, it looks like slightly less than 1% of the female population sits in each of those age groups. Assuming a 50/50 split of men and women, that means that about half the women in that age group in Oklahoma share their birth YEAR with about 75 women in their home town.

If you're on the list, hopefully you'll be able to hide behind the "mostly white" racial demographics (God help you if you aren't) and the fact that years of education and age are strongly correlated over the first half of the distribution. Otherwise, while you may not be a sore thumb, it ain't good. If you were "missing" on the date in question, that probably doesn't help.

By Troublesome Frog (not verified) on 14 Oct 2009 #permalink

In health statistics, where the number of specific cases is small, "residual disclosure" of identity is a recognized concern. My organization does reports on hospitalization for injuries in various regions, and in those reports, if the numbers of cases in a given category (such as automobile collision) is less than five, we do not report the actual figure (just "less than five"), to avoid inadvertently disclosing the identity of the person involved.

I can certainly see how public release of the information described above could lead to similar privacy worries.

Even if the information should not identify an individual, the busybodies probably aren't afraid to hurt their victims.
One can imagine this scenario: A slightly obese and unpopular girl misses high school on one day, excused for a medical procedure. Busybody finds on web site that an abortion was performed in same county on that day. Rumors fly, and hurt unpopular girl, no matter if she really went for a wart removal. 'nuff said.

Well, there's reason #384 not to live in Oklahoma.

Never underestimate the power of data-mining. I am a computer programmer by trade, I know for a fact that given a zip code and date of birth, advertisers can pretty much identify you to the point that they get your name Mostly right, if you have family that live in the same zip you might get something for them.

Given the information requested is date of procedure, age of patient, location of procedure, and resident county of patient you would be very shocked how easy it is for a data-mining program to gather a rather limited number of probable people.

And as we all know the fundies will throw a few innocent people under the bus to get the one person they are after, you know the "christian" way of doing things...

But I digress, people in the country have NO clue how easy it is to identify you from seemingly random information. This is what Data-Mining was developed for. Privacy is something that died a while ago, mourn it, long for it, never forget when you had it, but accept that it is gone. :-/

Connect with best Immigration Lawyers in Leicester. Idris and Co Solicitors in Leicester shire specialize in Immigration Law. We provide one of the most comprehensive immigration law firm services in Leicestershire.

Logistics Transportation laws book - âTransportation Logistics & Lawâ authored by transportation laws expert William J. Augello is a pioneer in transport laws and logistics transportation laws.

This is absolutely the violation of HIPAA privacy and security law. Without the permission of the patient, or here in this case the aborted woman, you can publicly post details of abortions online. The HIPAA privacy and security law is created to protect individual patientâs health information and not to disclose it online. It is having said that many of the hospital staff including the doctors are unaware about the hipaa security and privacy law and accidentally breach out the vital patient information, and to avoid such incidence HIPAA Training is only one of the most important option. So if he or she is a doctor, nurse, MT or any concern person handling the patient information, he/she has to go through the HIPAA Training. Here is one of the website that can help healthcare organization, covered entities as well as individual seeking HIPAA Training