The Setup

I was building the referral form for a cancer education business's patient referral engine — a co-branded intake flow that connects cancer patients with life insurance and viatical settlement options.

One hard constraint right at the start: §12.3(c) of the referral agreement makes PHI collection — protected health information, think diagnosis, prognosis, treatment details — trigger a separate Business Associate Agreement (BAA, a legally binding HIPAA contract between us and the referring entity).

We didn't want to go there.

So I made a clean decision: drop the diagnosis field entirely. No "health issues," no "describe your condition," nothing clinical. Form stays non-clinical. No BAA required.

I was pretty happy with that call.

The Wall I Didn't See Coming

Then I added an open notes box.

You know the one. "Anything else you'd like us to know?" Three lines of free text. Totally standard UX.

And I thought — fine. That's just a catch-all. Not a clinical field.

My business partner and I had actually talked through this exact moment on a Level 10 call with the cancer education business. He floated the idea: "what would you like the doctor to know?" as the label for the field.

My reply, without even thinking: "They're going to dump."

"I know, dude."

We both laughed. Because we both KNEW. A cancer patient filling out that form is going to type everything. Stage. Timeline. Treatment history. The whole story. Because that IS the answer to "what would you like the doctor to know?"

The advisor flagged it straight: dropping the diagnosis field and adding a free-text box are two decisions that silently cancel each other out. The field-level win is meaningless if there's an open door right next to it.

The Tempting Wrong Fix

Here's where it gets interesting — because the obvious response is "fine, we'll add a keyword filter."

Regex for "stage," "diagnosed," "tumor," "treatment." Block or strip the clinical stuff. Problem solved, right?

No. WRONG.

A keyword regex catches a fraction of phrasings. It misses "dx'd," "found out six months ago," "they said I have about a year." It misses every euphemism, every workaround, every way a real person actually writes about their health.

The regex reads as "handled." It isn't. It's false comfort presented as a control.

What I Actually Did

Here's the decision I made — and it's a knowing tradeoff, not a clean win.

I kept the open notes box. I accepted the residual PHI risk with eyes open.

But I engineered it as safe as I could:

  • Optional field — never required, never prompted as expected
  • Non-clinical microcopy — "preferred timeline, best time to reach you, any questions" — that's what it says in the hint text, not "tell us about your condition"
  • Soft nudge — a gentle "please don't include medical details here" in the copy
  • Feature-flag kill-switch — the entire field can be disabled without a deploy, the moment it becomes a liability

That last one is the one that matters most to me.

Why This Matters

The real controls here are field-level exclusion (what you choose NOT to ask) and the kill-switch (the ability to pull the cord without a deploy).

The lesson isn't "remove the open box." Sometimes you need it. The lesson is: an open text field in a medical context is never neutral. It's an invitation. And the only reason you removed the diagnosis field in the first place was to close an invitation.

If you're building PHI-free by exclusion, audit every free-text input as a potential re-entry point for what you excluded.

The box you didn't add is only as clean as the boxes you did.

P.S. If you're in a similar spot, the preferred fix before reaching for the kill-switch is to replace the open box with constrained non-clinical inputs — timeframe, best time to call, preferred contact method. They can't carry a diagnosis.