A court case about a patient’s roommate ended up teaching me more about privacy than I expected.
The case was Rogers v. NYU Hospitals Center. A hospital released the name of a patient’s roommate and someone questioned whether this violated HIPAA. The name came up during a legal proceeding and the patient argued it should have been protected. The court disagreed, noting that the name alone did not reveal any medical diagnosis or treatment. A wide range of rehabilitative services were offered at Rusk Institute of Rehabilitation Medicine, so knowing someone was there didn’t tell you anything about their condition. A name by itself wasn’t protected health information in this situation.
What stood out to me was how much the decision depended on context. If I were a privacy officer, the places I’d worry about most are the ones where just knowing a patient’s name would reveal sensitive information. Specialized facilities like oncology units, HIV treatment centers, dialysis clinics, psychiatric hospitals, substance use programs. In these places, someone’s presence alone tells you their diagnosis. That’s when identity basically becomes health data.
It becomes even trickier in rural communities. Smaller populations make it easier to figure out who’s receiving what type of treatment, even in larger facilities. In those situations, a name has to be treated as protected information.
Large general hospitals, emergency departments, multidisciplinary rehab centers? These are usually less of a concern. They serve so many different kinds of patients that knowing someone was there doesn’t really tell you much about their diagnosis or treatment.
Context is everything in privacy work. The same data point can create very different risks depending on where and how it is used. If you miss that, your privacy controls might end up either too loose or too restrictive.