Confusing Rule Names in HIPAA

This is the post excerpt.

Over on the ClinicNerds blog, I just uploaded the third post in the series “Crushing Kim with HIPAA.”  This post is about the confusing names Security Rule and Privacy Rule.  My suggestion is to avoid using the similar sounding privacy / security and replace them with Patient Rights and Protected Health Information (PHI).

“Crushing Kim With HIPAA” Is A Series of Articles

HIPAA is widely misunderstood, not because of any one thing, but rather the accumulation of many confusing concepts, phrases and terms. This series explores those confusing things through the eyes of Kim, a hypothetical office manager in a small clinic named Memphis Family Clinic. Big hospitals have departments of lawyers and information technology specialists (I/T, CIO) to handle HIPAA challenges. Kim and Memphis Family Clinic do not have those resources. This series tries to show how challenging HIPAA is for small clinics.

HIPAA Compliant Is a Gimmick

Two recent updates to the ClinicNerds website to report:

  1. New HIPAA Breach Case Study about a small practice in Illinois that was fined $31,000 because they did not have a Business Associate Agreement with a third-party document storage company.  The medical practice was storing paper medical records at this off-site location without ensuring that the document storage company was safeguarding the patient data.  Note that this case was resolved just a few months ago (April 2017), though practice will be on HIPAA probation for two years till April 2019.  It is very typical for these HIPAA investigations and probations to last 4 or 5 years.
  2. New article in the series Crushing Kim with HIPAA.  This sixth article in the series discusses the meaningless terms ‘HIPAA Compliant’ and/or ‘HIPAA Certified.’   There are many shady salesmen, consultants, and instructors that make the false and meaningless claim that their product or service is HIPAA Compliant.  When you hear this phrase, ClinicNerds encourages you to say:  ‘Who says it is HIPAA compliant?’


HIPAA Police Send Warning to Small Practices

Earlier this week, I posted the ninth case study on HIPAA Breaches.  Why was this case important?  The healthcare organization that got fined is a small hospice in the Northwest.  The precipitating event was one stolen laptop that was not encrypted.  The laptop contained a few hundred (441) patient records.  The fine was $50,000.

Every small practice in the country has the same essential risks or vulnerabilities.  An unencrypted laptop with a spreadsheet of all the practice’s patients.

An unencrypted laptop, with a few hundred patient records, is stolen and results in a $50,000 fine.




Over on the ClinicNerd’s blog, I put up the fifth article in the series: Crushing Kim with HIPAA.  In this series of articles, I try to make the point that HIPAA is despised and misunderstood because the explanations of HIPAA are horrible.  If HIPAA is ever going to be accepted and widely adopted, then a new curriculum is needed to explain HIPAA.  The HIPAA Lifeguard app is my attempt at a new curriculum for explaining HIPAA.   Article preview: ClinicNerds avoids using weird words like omnibus.

Laptop Stolen In Asia

Over on ClinicNerds HIPAA Breach Case Studies, just published a new case study about a doctor whose laptop was stolen while lecturing in Asia.  Though some precautions were taken, the laptop had unencrypted patient data going all the way back to 1988.  The laptop was stolen in South Korea, but the US Government, HHS, levied a multi-million dollar HIPAA fine.  Link: Unencrypted Laptop stolen while lecturing in Asia

Crushing Kim with HIPAA

Over at the ClinicNerds blog, I’m writing a series of articles about how the terrible explanations of HIPAA are creating a nightmare for small clinics.  Just put up the fourth article in the series about Simplifying Protected Health Information (PHI).   I believe that we need to have a conversation about ways to simplify HIPAA explanations.


Short analysis of mobile apps in the healthcare industry.

  • Company Started: 2007
  • Location:  NYC
  • Private Startup
  • Total Funding: $223 million over 4 rounds
  • Latest Private Valuation: $1.8 billion  (Unicorn Club!)
  • ~650 employees
  • ~5 million customers-patients
  • (BIG unknown) number of paying subscribers
  • Locations:  NYC, Phoenix, India

Between the Lines

The founders chose to locate the company in the very trendy SoHo neighborhood of New York City.  Among hipsters, college grads and kids much younger than me, Brooklyn and SoHo compete for coolest place to tell your Facebook friends that you live.  How cool is SoHo?  The Cronut was invented in a SoHo bakery and the Kardashians chose to open their store in SoHo.  Though there are some healthcare startups in the area, the choice of SoHo says something about the founders.

Every startup needs a founding fable and while there is a bit of a Zocdoc creation tale, it is not mythologized or discussed much.  Little talk of garages or dorm rooms.  The original CEO was a McKinsey consultant so maybe they get to leapfrog the grunge stage and go right to the SoHo loft with Aeron chairs.


OpenTable is for making a restaurant reservation.  HotWire is for making a hotel reservation.  Zocdoc is for making a doctor appointment.  Or Match.com is for finding the perfect mate.  Zocdoc is for finding the perfect doctor or dentist.  For a list of Zocdoc competitors, I suggest Googling “zocdoc competitors” – there are many startup in this area and startups come and go faster than Cronuts.  Some competitors are country specific (e.g. France).  Others focus on clinical areas like therapists.  Most startups in this segment are “developing a digital platform to fix health care.”

Catchy Phrases

  • “fill vacancies”, “unfilled inventory”, “unused resources”, “underutilization”
  • “real time updates”, “real time availability”, “find a doctor 24×7”
  • “working to lead the healthcare experience into the digital age”
  • “digital platform to fix health care”

How Do They Make Money?

“Patients pay nothing.  Doctors pay about $250 a month to be listed” says USA Today.  It is not clear if the price is per doctor or per practice.  If three doctors own a practice together, do they each have to pay $250 per month?


Zocdoc has raised $223 million from well-known investors like Khosla Ventures, Founders Fund, Goldman Sachs, Jeff Bezos, and Marc Benioff.   Zocdoc joined the Unicorn Club with the most recent round of funding valuing Zocdoc at $1.8 billion.  Who wouldn’t leapfrog grungy garage stage if you could raise that much money?!  On a side note, is there a startup that Bezos has not invested in?  (My one person startup is being bootstrapped, in case you were wondering Mr. Bezos.)

Napkin Calculations

Zocdoc has raised enough money that they have plenty of runway.  They can meet payroll and keep the lights on for a long time.  Though certain to be wrong, let’s make some guesstimates as to what Zocdoc needs to reach profitability or free cash flow.  The company does not say how many doctor/subscribers it has.  The company does say it has about 650 employees.  This approximation suggests that Zocdoc needs about 15-16k doctor/subscribers to cover their monthly run rate.

  • Expenses: 650 employees X $6000 per month = $3,900,000 monthly payroll
  • Break Even Income:  $250 month X 15,600 = $3,900,000

Assume average annual salary $72,000, no benefits and ignore pricey SoHo office

Using the Zocdoc app, online speculators (at Quora) have tried to count the number of doctors listed.  Some have suggested that it could be more than 40k subscribers.  The 40k number seems high to me as it would mean $10 million per month in revenue.  Why would Zocdoc take $130 million from investors if the business is already generating that much revenue?   I suspect the number is 10-15k subscribers.  (Fall 2017)


Zocdoc is the first mover, is well funded, and is replicating a business model that is known to work in other industries.  They have rolled out the service to many cities and expanded to over 50 specialist types of doctor offices.  They have a lot of videos on YouTube, but not many views.  Zocdoc has survived a decade so they have already beaten the odds.

Short Side Arguments

The original CEO (the McKinsey guy) handed over the reins to one of his co-founders.  Probably just burnout but who knows.  If the doctors listed on Zocdoc are so great, why do they need help finding customers/patients?  Needle in the haystack – it is a lot of work to interface to thousands of doctor office patient scheduling systems just to find out if a patient cancelled an appointment.  Even if you throw every engineer in Bangalore at it, that is a hard software engineering problem.  If it is not a problem handled by software, then it is an administrative nightmare for the receptionist in the doctor’s office who has to remember to go update the Zocdoc dashboard for every schedule change.  There are a lot of specified and unspecified variables in patient scheduling.  Unlike the local barber, doctor’s offices generally avoid walk-in patients, unless they bring Cronuts for the whole staff.

Big Questions

How many paying subscribers do they have?  Are they growing the subscriber base?  How is subscriber retention?  What are their (paying) customer acquisition costs?  Why did the CEO step down before going public?  Everybody hopes to become the Google of healthcare – to become the “digital platform that fixes healthcare.”  How successful will Zocdoc be at extending their product line?  They have their (API) hooks into the doctor’s offices.  Now can they grow the offerings?  Can they maintain the delicate balance of aligned incentives between the patient, the doctor office and their app?


There are a lot of old school doctor offices that are in no hurry to let go of the fax machine and paper medical records.  These old school clinics just chuckle at the daily news headlines about billions of stolen records or hospitals being held ransom by hackers.  Patient data privacy (HIPAA is my day job at ClinicNerds) is a big and confusing health care issue.  Zocdoc operates in an uncharted area of the law because Zocdoc is the inverse of a HIPAA Business Associate.  A typical Business Associate gets patient data “from” a doctor office.  Zocdoc is giving patient data “to” a doctor office.  Wonder if Zocdoc is signing a Business Associate Agreement (BAA) with each doctor office?  All the other short side arguments would pale in comparison to a HIPAA investigation.  Zocdoc should get out ahead of the issue by asking HHS for guidance.


The Zocdoc app has a feature that allows patients to rate doctors.  Two points to make about that feature.  First, does anyone believe that Zocdoc will allow bad reviews of a doctor when it is the doctor’s that are paying the bills?  Second, doctors rightly hate being “reviewed” by patients.   Other startups have tried this with disastrous results.  Ten years of medical school and training are supposed to be summed up by a 10 minute interaction?  Why do startups keep pushing on this use case of five-star ratings and rambling reviews?  Feels like gamification gone wrong.


I like the Zocdoc redesign with their “optimistic yellow” palette.  This is the first yellow app icon on my iPhone.  (Once you are 21, Snapchat just disappears from your iPhone – the algorithms do it.)  Every sagging company is trying to change their image by incorporating a smile into their logo.  Like Amazon.  But the Zocdoc designers took it a step further with several logos that dynamically turn the smile into a frown when the user is sick.  Clever.

A day or two after considering the Zocdoc logo, it struck me that there may be some nods to the Cubists and Picasso.  (I can never remember the other Cubists.)  Strong bold lines, slightly askew.  What do you think?  Were the Zocdoc logo designers alluding to Pablo?    Let me know on Twitter @ClinicNerds with the hashtag #IseePicasso

Bert Ryan in Reno Nevada