> In the US your name and date of birth are very much PHI
Your name and date of birth when held by a HIPAA covered entity (where the mere fact of them being held by such an entity is a nexus to healthcare information from which it may be possible to deduce more specific healthcare information and associate it with the individual with only public data) is PHI. That’s true of PII generally.
> It’s personally identifiable information (short: “PII”), but it’s not medical data.
Just to be clear here. This sentence is referencing the "codice fiscale" and that it is not [necessarily] medical data.
The "codice fiscale" is a code consisting of letters and numbers. It can e.g. contain the first letter of your name. An example is provided in one of the article's pictures.
I'm not a lawyer but "codice fiscale" is not PHI. The Italian Data Protection Authority puts codice fiscale under PII[0] and it's not mentioned in the PHI section[1,2,3,4].
First off, good work! It is always nice to help people deal on this (sicked and badthought) platforms.
Anyhow, you should check also if a "tessera sanitaria" is considered a PHI since it includes the "codice fiscale" (and if I recall correctly, it is used often in "fascicoli sanitari" to identify an individual).
I'm not aware of how things work in the US, but...
Surely if you are only handling Names and DOB you don't have to be HIPAA compliant?
I mean, if you have to be HIPAA compliant (your application is medical-adjacent and/or is handling also other bits of data besides Name and DOB), then by correlating the DOB (or name) with the rest of the data, health information could be leaked, and thus you want to protect Name+DOB with the HIPAA standards (even just the fact that a certain name uses a certain app/is inside a certain system might be sensitive).
But otherwise... almost every system under the sun is ingesting name+DOB.
(there's a case to be made that the system described in the post is a medical app... but again: different jurisdiction)
Yeah I think it only really matters if you are trying to be HIPAA compliant, like you said, because you’re also dealing with other health information about people.
For Poland I've built something similar (but contrasting with the article I don't take any PII, I just post the available vaccination spots, so the users themselves need to book the spot with the info I provide): https://szczepienia.github.io
Your friend helped 16 people get a vaccination rather than a different 16 people getting a vaccination. The same number of vaccinations were given out.
The vaccine situation in Veneto is complex. It's not "first come, first served". There are different cohorts. Right now the only people that are eligible are people over 80 and people with pre-existing health conditions.
Many of them have troubles using the official portal, and they ask their children to help them. Their children are around 50, and have to actively poll the website trying to get a spot.
I didn't build the bot for young, tech savvy people who want to get first in the line. It's exactly the opposite. By smoothing the UX it makes booking the spot for the vaccine accessible, and it removes the burden of constantly check it. It may also help in avoiding wasting doses by sending last minute notifications about new available spots.
I have few emails from people thanking me because they were frustrated by the official website, and the bot helped them to book a spot for their parents.
Huh, is that the case in Italy? In the US your name and date of birth are very much PHI