Actually, You are allowed to talk about your setup, you're just not allowed to release your actually data. But that's true for a lot of systems.

That depends on the business. Some businesses consider things like that proprietary information. Some go so far as to consider just about every detail of their system including hardware and even OS sensitive.

Others are less secretive, but still want to protect the details of their schema. Properly and carefully developping a schema for a major system can be a big project that reveals a lot about your business and can give an upstart competitor an advantage.

The point in question is whether HIPAA and other health privacy standards allow a provider to describe their architecture. They do (see: http://en.wikipedia.org/wiki/Health_Insurance_Portability_an...).

Whether a business chooses to talk about their setup depends on a variety factors including their business model. However, keeping such things private is often security through obscurity (http://en.wikipedia.org/wiki/Security_through_obscurity).

I think we had different understandings of the grandparent:

I don't think people building those systems are supposed to talk about them...

In a former job I worked on systems similar to what was described and my former employer would be very unhappy with me if I revealed so much as their hardware setup much less schema. I am not supposed to talk about such things, and there is an NDA that says so....

Whether it is legal for an authorized person from the company to discuss those matters is a separate matter.

Also, I must point out that this is not security through obscurity. Security through obscurity cannot be relied on, I agree. But in this case, it is a matter of preventing you competitors from knowing what you are doing.

You know your competitors can develop the same thing you did in time, but you want to make sure they have to spend that time rather than being "inspired by" reading over your source code or even stealing it entirely. In some competitive environments, even just knowing what your competitors are or are not capable of at that moment can be a huge advantage.

I wasn't referring exclusively to HIPAA. I also assumed that medical software companies would tend to be the type that don't like their employees blogging. It's not even just security, but general trade secret stuff.

Why would these kind of details be better kept in secret?

They wouldn't, but often times certain regulations may require it.

But in this case, the regulations don't require it.