Case Reports and HIPAA Rules

Image Hosted by ImageShack.usImagine this scenario:

You are a medical blogger (doctor, nurse, student) and just saw a very interesting patient. You would like to describe the patient as a clinical case on your blog, in order to share it with other health care professionals (some non-medical readers may visit your blog as well).


Is this case report allowed under HIPAA regulations?


Yes, if you observe certain rules. If your opinion differs, please comment in the section below and add the relevant references. It is extremely important to check your employer social media policy which can be more restrictive, and extend or overwrite the general HIPAA rules. HIPAA is a law by the federal government of the United States.

Case Reports and The Health Insurance Portability and Accountability Act (HIPAA) of 1996

Physicians must assure that the case report does not contain any of the 18 health information identifiers noted in the HIPAA regulations, unless authorization from the individual (s) has been obtained. The authorization is not required if neither of the 18 identifiers below are used in the case report.

List of 18 Identifiers:

1. Names;

2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

4. Phone numbers;

5. Fax numbers;

6. Electronic mail addresses;

7. Social Security numbers;

8. Medical record numbers;

9. Health plan beneficiary numbers;

10. Account numbers;

11. Certificate/license numbers;

12. Vehicle identifiers and serial numbers, including license plate numbers;

13. Device identifiers and serial numbers;

14. Web Universal Resource Locators (URLs);

15. Internet Protocol (IP) address numbers;

16. Biometric identifiers, including finger and voice prints;

17. Full face photographic images and any comparable images; and

18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

12-Word Social Media Policy by Mayo Clinic: "Don’t Lie, Don’t Pry, Don’t Cheat, Can’t Delete, Don’t Steal, Don’t Reveal" (

Cleveland Clinic Social Media Policy for Employees (PDF), from Association of Pediatric Program Directors, 2009.
The Purpose of this Blog - Dr.Charles.blogspot.
Image source:

Related reading:

Twitter, HIPAA, Privacy and Freedom of Speech. Phil Baumann, 07/2008.
Privacy of Individually Identifiable Health Information. Code of Federal Regulations.
Do you need IRB approval for a Case Report? See for yourself here: and
ER nurse blog "impactednurse" back online - reason for taking it offline - a reader identified de-identified X-ray on Facebook
HIPAA found in Hippocratic Oath: Keep the patients’ secrets a secret. Also: My colleagues will be my brothers and sisters
Dr. Wes: HIPAA, Case Reports, and the "Small Cell" Problem, 2011.

Comments from Twitter, 2011:

@symtym (Tim Sturgill): What about more restrictive state rules? States may be much more restrictive, e.g., California; also medical societies and organizations, e.g., AMA. There are lots of ways to run foul. For example, this doctor did, without HIPAA being an issue - state law only:


Or Rhode Island… medical boards have lots of latitude. RI did not invoke HIPAA, not applicable; they had separate laws to utilize. No info released; shouldn't mix HIPAA specific rules with separate state authority - big point. A key issue is multiple "sovereigns" and their rules are brought into play. There is no doubt synergyy, but the emphasis is multiple authorities and multiple legislative hx, agendas, interests, etc... I think if is very very important (b/c we are so use to and blinded to HIPAA) to be concerned about the many ways...


  1. Sorry, but I had to laugh when I found that Dr. Charles, the medblogger who used to so judiciously add disclaimers to all of his entries, left a comment here. ;)

  2. I see a lot of things that could be classified as a cross between case reports and first person types of blogging. I have to admit feeling some degree of discomfort with some of them, due to the detail presented.
    One thing that helps is when stories are not so contemporaneous, that they are events that have happened several months ago rather than just today, or just this week.
    I think you have to anticipate that one way or another patients will learn about your blogging and perhaps begin to check to see what you are writing about.

  3. For our Cases in the News Blog: we got one additional piece of advice from beta testers - replacing names with initials even though the names appear in the original articles to which we link.

  4. One thing that helps is when stories are not so contemporaneous, that they are events that have happened several months ago rather than just today.

  5. This post is wonderful!! I have used it on my own blog as a reference for what is and is not acceptable to post. As a medical student, this site was super helpful in summarizing privacy issues!

  6. Thank you so much for this information! I've been wondering about this and luckily, I've been erring on the side of caution (if you can call that an error :-) )

  7. This is a question I have. I read on a public site about someone who posted a comment using a patients name and including a link to a website about this person and their accomplishments. The person who posted this was saying how they saw it a privilage to have this person as a patient and enjoyed them. there was no other personal info said or medical info. is this a violation of a hipaa law?

  8. If this is done without the patient's consent, then it is a HIPAA violation.

  9. The person who posted this said they chated with the patient and the patient shared stories with them. they asked the patient if it was ok to pass on some of his stories because they knew people who would enjoy to hear about their accomplishments and the patient said sure you are welcome to share my stories? Not sure if this would change any thing or not?

  10. It sounds like the patient gave permission for his story to be published online. The publication of the patient story does not represent a HIPAA violation in this case - check with a lawyer if you want to be absolutely certain.