I spoke at the HxRefactored conference in Brooklyn this week. The title of my talk was Dancing with HIPAA and it was intended as an introduction to health care data privacy and security regulations, practical concerns and -- most important -- practical solutions to privacy and security issues whether subject to HIPAA or not. Many issues for this audience will be triggered by data not gleaned from a health record maintained by a health care provider or payor. Instead, such data may be released by an individual (and therefore no longer covered by HIPAA) and mashed up with data feeds from personal trackers and manually inputted data, put through a health behavior modification recommendation engine, and -- voila! -- behavior change recommendations are delivered to an individual. In this context, the health data is being held in a special-purpose PHR, not an EHR, so HIPAA rules don't apply and therefore OCR enforcement should not be of concern -- though the FTC breach notification rules apply and, as we know, the FTC asserts broad parallel jurisdiction to enforce HIPAA as well.