HIPPA Complaince

HIPAA Deep Dive: PHI 18 identifiers, Security Rule safeguards, BAA requirements, breach notification, and de-identification

HIPAA — Complaince

PHI · Security Rule · BAA · Breach Notification · De-identification

🔒 18 PHI Identifiers

🛡️ Security Rule

📝 BAA

🚨 Breach Notification

🧹 De-identification

PHI (Protected Health Information) = any health information that can identify a patient AND relates to their health condition, care, or payment. It becomes PHI when ANY of these 18 identifiers are present alongside health data. Remove all 18 → data is de-identified → no longer subject to HIPAA.

Identifier 01

Name

Full name, first name alone if combined with health data

Never log patient names in application logs

Identifier 02

Geographic Data

Street address, city, ZIP (first 3 digits of ZIP may be OK if population > 20,000)

Full ZIP codes in query params = PHI leak risk

Identifier 03

Dates (except year)

DOB, admission date, discharge date, date of death, age if > 89 years

Store as year only in de-identified datasets

Identifier 04

Phone Numbers

Any telephone number — home, cell, work, fax

Mask in UI: show only last 4 digits where possible

Identifier 05

Fax Numbers

Fax number associated with patient or their provider

Fax still widely used in healthcare — treat as PHI

Identifier 06

Email Addresses

Any email associated with the patient

Encrypt emails containing health info. Use Direct Secure Messaging for clinical email.

Identifier 07

Social Security Numbers

Full SSN or partial (last 4 digits can still be PHI in context)

Never store plaintext. Hash or tokenize. Audit access.

Identifier 08

Medical Record Numbers (MRN)

Any facility-assigned patient identifier — MRN, encounter ID, account number

MRNs in URLs or logs = PHI exposure. Use internal UUIDs instead.

Identifier 09

Health Plan Beneficiary Numbers

Insurance member ID, group number, Medicare/Medicaid ID

Common in 270/271 eligibility and 837 claims — encrypt in transit and at rest

Identifier 10

Account Numbers

Hospital billing account numbers, bank account if linked to health payment

RCM systems: mask account numbers in logs and error messages

Identifier 11

Certificate / License Numbers

Driver's license, medical license — if linked to patient health info

Identity verification workflows: treat as sensitive PII + PHI

Identifier 12

Vehicle Identifiers / Serial Numbers

VIN, license plate — can identify location of care

Rare in clinical systems but relevant in transport/ambulance data

Identifier 13

Device Identifiers

Implant serial numbers (pacemaker, hip), medical device IDs

IoT/wearable data: device ID + health reading = PHI

Identifier 14

Web URLs

URL if it identifies a patient (e.g. patient portal URL with patient ID)

Never put patient IDs in GET query params. Use POST body or session token.

Identifier 15

IP Addresses

Patient's IP address if linked to health data (e.g. portal login)

Web access logs with health context = ePHI. Protect server logs.

Identifier 16

Biometric Identifiers

Fingerprints, retinal scans, voiceprints used for patient identification

Biometric auth systems in healthcare: store hashes, not raw biometrics

Identifier 17

Full-Face Photos

Photographs that could identify the patient — clinical photos, ID photos

DICOM images often embed patient name in metadata — scrub before sharing

Identifier 18

Any Other Unique Identifying Number

Any other number or code not explicitly listed but uniquely identifying a person

Catch-all: if it can re-identify a patient when combined with health data, it's PHI

Dev rule of thumb: If a field can answer "which patient is this?" AND the record contains health data → it's PHI. Treat any combination of identifier + health condition as PHI by default. When in doubt, protect it.

The HIPAA Security Rule applies specifically to ePHI (electronic PHI). It requires three categories of safeguards. Each requirement is either REQUIRED (must implement) or ADDRESSABLE (implement if reasonable and appropriate, or document why not).

📋

Administrative Safeguards

Policies, training, and workforce management — ~50% of Security Rule

Required

Security Officer — designate one person responsible for HIPAA security policy. In startups this is often the CTO or founder.

Required

Workforce Training — all employees who touch ePHI must be trained on security policies. Document completion. Repeat annually.

Required

Access Management — formal process for granting/revoking access to ePHI systems. Role-based access control (RBAC). Audit log of who was granted what.

Required

Contingency Plan — data backup, disaster recovery, emergency access. RTO/RPO documented. Test the backup.

Addressable

Workforce Clearance — background checks for staff with ePHI access.

Addressable

Security Reminders — periodic security awareness updates (emails, training refreshers).

🏢

Physical Safeguards

Physical access to systems and devices storing ePHI

Required

Facility Access Controls — locked server rooms, badge access, visitor logs. Cloud vendors handle this for hosted systems.

Required

Workstation Use Policy — where and how workstations with ePHI access are used. Auto-lock screens after inactivity.

Required

Device & Media Controls — procedures for disposal of hardware and media containing ePHI. Wipe drives, shred documents.

Addressable

Workstation Security — physical protections like cable locks, privacy screens for laptops in clinical areas.

💻

Technical Safeguards — Most Relevant to Developers

The code and infrastructure controls you build and configure

Required

Access Control — unique user IDs, no shared logins, automatic logoff, encryption/decryption. Implement: RBAC, JWT with short expiry, MFA for ePHI systems. user_id NOT 'admin/admin'

Required

Audit Controls — record and examine activity in systems containing ePHI. Log: who accessed, what record, when, from where. Immutable logs. Retain ≥6 years. SELECT * WHERE patient_id = X → logged

Required

Integrity Controls — ensure ePHI is not improperly altered or destroyed. Checksums, digital signatures, version history, database transactions with rollback.

Required

Transmission Security — protect ePHI transmitted over networks. Minimum: TLS 1.2+. All APIs must use HTTPS. No ePHI in unencrypted email. No ePHI in HTTP GET params. https:// · TLS 1.3

Addressable

Encryption at Rest — encrypt databases, file systems, backups containing ePHI. Practically required — hard to justify not doing this. AES-256. AWS KMS / Azure Key Vault. AES-256-GCM

Addressable

Automatic Logoff — terminate sessions after a period of inactivity. Implement as idle timeout in your session management. Standard: 15 minutes in clinical settings.

Addressable

Authentication — verify identity before granting access. In practice: MFA is expected for any system with ePHI. FIDO2/WebAuthn for strongest security.

Quick dev checklist:

✅ HTTPS everywhere (TLS 1.2+ minimum)

✅ Encrypt DB at rest (AES-256)

✅ Unique user IDs + MFA

✅ Immutable audit logs (who, what, when)

✅ Role-based access control (RBAC)

✅ Session timeout (≤15 min idle)

✅ No PHI in URLs / query strings

✅ No PHI in application error logs

✅ Encrypted backups + tested restore

✅ Signed BAA with every cloud vendor

A Business Associate Agreement (BAA) is a legally required contract between a Covered Entity (CE) and any Business Associate (BA) — any vendor or contractor who creates, receives, maintains, or transmits PHI on your behalf. Without a signed BAA, both parties are in violation of HIPAA.

1

You build a healthcare app that handles patient data → You are a Business Associate (BA) or possibly a Covered Entity (CE)

2

You store ePHI on AWS S3 → AWS is your sub-BA. You must sign AWS's BAA (available in AWS console). Same for Azure, GCP, Snowflake, Databricks.

3

You use Twilio to send appointment reminders with patient info → Twilio must sign a BAA. Using a service without a BAA = HIPAA violation even if they're encrypted.

4

A hospital deploys your software → They (the CE) must sign a BAA with you before you can access any of their patient data.

5

BAA must specify: what PHI is involved, permitted uses, security obligations, breach reporting requirements, and how PHI is returned/destroyed at contract end.

✅ BAA Available — HIPAA-eligible vendors

AWS (HIPAA-eligible services — S3, RDS, Lambda, etc.)

Microsoft Azure (HIPAA/HITECH compliance)

Google Cloud Platform (GCP HIPAA BAA)

Snowflake (sign in web UI)

Twilio (available, must request)

SendGrid / Mailgun (with restrictions)

Auth0 / Okta (available)

Datadog, PagerDuty (available)

❌ No BAA — DO NOT use for ePHI

Slack (free/standard plan — no BAA)

Google Workspace (personal accounts)

Trello, Notion (standard plans)

GitHub (public repos — obviously)

ChatGPT / Claude API (without enterprise agreement)

Most analytics tools (Mixpanel, Amplitude — no BAA)

Zapier (standard plan)

Any free-tier SaaS tool

⚠️ Common dev mistakes:

Logging patient data to Datadog / Splunk without a BAA · Sending PHI in Slack messages · Using ChatGPT/Claude to analyze patient records without enterprise BAA · Storing test data with real patient records in dev/staging · Emailing PHI via Gmail

A breach = unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. HIPAA's Breach Notification Rule requires specific actions within strict timeframes. There is a presumption of breach — you must prove it's NOT a breach, not the other way around.

Day 0

Breach Occurs or Is Discovered

Unauthorized access to PHI detected. Examples: database exposed publicly, ransomware, employee snooping on celebrity patient records, wrong patient record sent to another provider, laptop stolen.

Day 1–10 (as soon as possible)

Internal Investigation & Containment

Contain the breach. Assess scope: how many records, which identifiers, what health data. Apply the 4-factor risk assessment: (1) nature/extent of PHI, (2) who accessed it, (3) was it actually acquired/viewed, (4) risk of harm mitigated. If low probability of compromise → not a reportable breach.

Within 60 days of DISCOVERY

🔴 Notify Affected Individuals (Required)

Written notice by first-class mail (or email if patient consented). Must include: description of breach, types of PHI involved, steps individuals can take, what you're doing to investigate/mitigate, contact info. If 10+ individuals have outdated contact info → substitute notice (website or media).

Within 60 days of DISCOVERY

🔴 Notify HHS (Required)

Report to HHS via online portal. <500 records: can submit annual log by March 1 of following year. ≥500 records: must notify HHS within 60 days AND notify prominent media outlets in affected state/region.

Immediately (if BA)

Notify Your Covered Entity

If you're a Business Associate, your BAA specifies how quickly you must notify the CE. Typically without unreasonable delay. The CE's 60-day clock starts from when they discover it (or when you notify them).

Civil Monetary Penalties (CMPs)

Tier 1 — Did Not Know

$100 – $50,000 / violation

Unaware of the violation even with reasonable diligence. Cap: $25,000/year per category.

Tier 2 — Reasonable Cause

$1,000 – $50,000 / violation

Knew or should have known but not willful neglect. Cap: $100,000/year.

Tier 3 — Willful Neglect, Corrected

$10,000 – $50,000 / violation

Willful neglect but violation corrected within 30 days. Cap: $250,000/year.

Tier 4 — Willful Neglect, Not Corrected

$50,000 – $1,900,000 / violation

Willful neglect not corrected. Highest penalties. Criminal referral possible.

Real examples: Anthem (2015) — $16M settlement. UCLA Health — $865K. Small practices — $25K–$250K. Each patient record = potentially one "violation."

De-identification removes or transforms PHI so that data is no longer subject to HIPAA. De-identified data can be freely shared, used for research, analytics, AI training, or published. Two official methods under HIPAA:

Method 1: Safe Harbor

Remove ALL 18 identifiers listed in the Privacy Rule. Also: no actual knowledge that the remaining information could identify an individual.

What gets removed:

NameDOBZIPMRNSSNPhoneEmailIPDevice IDPhoto

What remains:

Year only3-digit ZIP*Age (if ≤89)ICD-10 codeLab values

*ZIP first 3 digits only if population > 20,000 in that region

Method 2: Expert Determination

A statistician or expert applies methods to determine the risk of re-identification is "very small." Allows more data to remain than Safe Harbor — including some dates and geographic detail.

Common techniques: k-anonymity (each record identical to ≥k-1 others), l-diversity, differential privacy (add statistical noise), tokenization (replace PHI with reversible token), data masking.

Must be documented and defensible. Expert signs off on the methodology.

Developer patterns for handling PHI safely:

Tokenization
Replace MRN "MRN-123" with opaque UUID. Store mapping in separate secured vault. API returns token, not raw PHI.

Test Data
NEVER use real patient records in dev/staging. Use synthetic data generators (Synthea) or properly de-identified datasets.

Logging
Scrub PHI from all logs before writing. Regex-strip SSN patterns, email addresses, MRNs. Use log masking middleware.

AI / LLM
De-identify before sending to any LLM API. Or use on-prem/enterprise agreements with BAA. Never send identifiable records to public APIs.

Terraform

What is Terraform?

Terraform is an Infrastructure as Code (IaC) tool that lets you define, provision, and manage cloud and on-premises infrastructure using declarative configuration files. Instead of clicking through cloud consoles, you write code that describes the desired state of your infrastructure — Terraform figures out how to get there.

Core concepts

Providers are plugins that let Terraform talk to external APIs — AWS, Azure, GCP, Kubernetes, GitHub, Datadog, and hundreds more. Each provider exposes resources you can manage.

Resources are the individual infrastructure objects you declare — an EC2 instance, a DNS record, a database, a Kubernetes namespace. Each resource block says "this thing should exist with these properties."

State is how Terraform tracks what it has already created. It stores a JSON file (locally or remotely) mapping your config to real-world resources. This is what lets it calculate diffs.

The plan/apply cycle is the core workflow:

• terraform init — download providers and modules
• terraform plan — show what would change, without changing anything
• terraform apply — make the changes
• terraform destroy — tear everything down

Modules are reusable bundles of configuration — like functions in a programming language. You write a VPC module once and call it for dev, staging, and prod with different variables.

How it works — the execution flow

HCL — the language

Terraform uses HashiCorp Configuration Language (HCL), a declarative, human-readable format. A basic resource looks like:

hcl

resource "aws_instance" "web" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.micro"

  tags = {
    Name = "web-server"
  }
}

You declare what you want, not how to create it. References between resources (aws_instance.web.id) automatically create dependency edges, so Terraform builds and applies resources in the correct order — and parallelizes when there are no dependencies.

The HashiCorp ecosystem

Terraform is one piece of a broader platform. Here's how the tools relate:

Key workflows and patterns

Remote state — in any real team setup, state lives in a shared backend (S3 + DynamoDB for locking, GCS, or HCP Terraform) rather than on one developer's laptop. This prevents two people from applying at the same time and corrupting state.

Workspaces allow multiple state files from the same config — useful for managing dev/staging/prod environments without duplicating code.

Variable files (.tfvars) let you parameterize a config and pass different values per environment: the same module code, different instance sizes and region settings.

Policy as Code with Sentinel or OPA — HCP Terraform can enforce policies before apply runs, blocking, say, any instance type larger than t3.large in dev, or any S3 bucket without versioning enabled.

Terraform with Vault is a very common pattern: Vault generates short-lived AWS credentials at plan/apply time, so no long-lived secrets ever sit in your CI environment.

Typical project structure

my-infra/
├── main.tf          # core resources
├── variables.tf     # input variable declarations
├── outputs.tf       # values to expose after apply
├── versions.tf      # provider version constraints
├── terraform.tfvars # variable values (gitignored for secrets)
└── modules/
    └── vpc/         # reusable module
        ├── main.tf
        ├── variables.tf
        └── outputs.tf

When to use what

Situation	Tool
Provision cloud infra	Terraform (open source)
Team collaboration, policy, audit	HCP Terraform
Self-host the control plane	Terraform Enterprise
Build VM/container images	Packer
Manage secrets and creds	Vault
Service discovery / mesh	Consul
Schedule workloads (non-K8s)	Nomad

The core loop — write config → plan → apply → state — is simple, but Terraform's real power comes from modules, remote state, and its massive provider ecosystem (over 3,000 providers on the registry). It's the de facto standard for declarative cloud infrastructure management. 

Python virtual env

 

Install pyenv

Using Homebrew:

brew install pyenv

Add to shell:

echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.zshrc
echo 'export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.zshrc
echo 'eval "$(pyenv init --path)"' >> ~/.zshrc

source ~/.zshrc

---

Install multiple Python versions

pyenv install 3.10.16
pyenv install 3.11.13
pyenv install 3.12.11

List installed versions:

pyenv versions

---

Set Python version

Global:

pyenv global 3.12.11

Per project:

cd my-project
pyenv local 3.11.13

This creates:

.python-version

---

Create venv with specific Python version

python -m venv .venv

or
python3 -m venv .venv

Because pyenv already selected the Python version, the venv uses that version automatically.

Activate:

source .venv/bin/activate

---

Verify

python --version
which python

---

Windows

Best options:

• pyenv-win
• Official Python installer with py launcher

Example:

py -3.10
py -3.11

Create venv with exact version:

py -3.11 -m venv .venv

Activate:

.venv\Scripts\activate

---

Recommended real-world setup

~/projects/
  app-a/
    .python-version -> 3.10
    .venv/

  app-b/
    .python-version -> 3.12
    .venv/

Generate a key

 head -c 32 /dev/urandom | base64

Y học nhập môn - quyển 3 (醫學入門)

 本草

本草門

醫道之傳，實本於聖人
聖人本乎陰陽
陰陽本乎天地
天地本乎氣
氣本乎神
神本乎精
精散則氣耗
氣耗則神離
神離則形壞

是以醫者
必先明乎本草
然後可以知藥性
知藥性然後
可以療疾病

草木昆蟲金石
各有所宜
不可妄用
用之不當
反以成害

故曰
用藥如用兵
不可不慎也

草部

甘草　黃芩　黃連　黃柏
人參　白朮　蒼朮　茯苓
當歸　川芎　白芍　赤芍
熟地　生地　麥門冬　天門冬
石膏　知母　竹葉　桑白皮
蘇葉　薄荷　柴胡　升麻
葛根　麻黃　桂枝　防風
細辛　羌活　獨活　白芷
桔梗　前胡　枳殼　枳實
半夏　南星　天麻　白附子

木部

桂皮　杜仲　桑枝　桑葉
槐花　槐角　槐枝
桃仁　杏仁　郁李仁
枸杞子　山茱萸

果部

大棗　烏梅　石榴
荔枝　龍眼

皮部

陳皮　青皮　桑白皮

金石部

石膏　滑石　赤石脂
硃砂　雄黃　雌黃
磁石　赭石

蟲部

蜈蚣　全蠍　蟬蛻
白殭蠶　地龍

獸部

牛黃　鹿茸　阿膠

Breaking Down Problems: What Is First Principles Thinking?

 

What is First Principles Thinking?

First principles thinking is one of the best ways to discover new solutions.

Sometimes called “reasoning from first principles,” it’s a tool to help break down complicated problems by separating what we know is absolutely true from anything that is an assumption. What remains are the essentials. If you know the first principles of something, you can build the rest of your knowledge around them to produce something new.

While you could take this way of thinking down to an atomic level, a lot of value is gained by simply going a level or two deeper than most people. Solutions are based on what you see. Different answers reveal themselves at different levels.

If I hand you a house made from Lego blocks, you know it’s possible to make a house. Thinking at the first layer, you might move a few blocks around and, in the process, slightly improve the house. Most people stop here. They are presented with something that already exists and they endeavor to make it slightly better. Going a layer deeper and breaking the Lego house into individual pieces opens the door to possibility: not only can you build a better house, you can build something entirely different.

Everything that exists is effectively a set of Lego blocks, assembled in a certain way, that can be taken apart and reassembled. A bike is just a seat, chain, body, handlebars, etc. Breaking the bike down into its parts allows you to reassemble the parts into something new. However, you can also go deeper, melting the parts into their core metals and making a shield, sword, or anything else, limited only by material and imagination.

I don’t know what’s the matter with people: they don’t learn by understanding; they learn by some other way—by rote or something. Their knowledge is so fragile!

Richard Feynman

The Basics

The idea of building knowledge from first principles has a long tradition in philosophy. In the Western canon, it goes back to Plato, with significant contributions from Aristotle and Descartes. Essentially, these thinkers sought foundational knowledge that would remain constant and serve as a basis for building everything else, from our ethical systems to our social structures.

First principles thinking doesn’t have to be quite so grand. When we do it, we aren’t necessarily looking for absolute truths—millennia of epistemological inquiry have shown us that these are hard to come by, and the scientific method has demonstrated that knowledge can be built only when we are actively trying to falsify it. Rather, first principles thinking identifies the elements that are, in the context of any given situation, irreducible.

First principles do not provide a checklist of things that will always be true; our understanding of first principles evolves as we gain more knowledge. They are the foundation on which we must build, and thus will be different in every situation—but the more we know, the more we can challenge. For example, if we are considering how to improve the energy efficiency of a refrigerator, the laws of thermodynamics can be taken as first principles. However, a theoretical chemist or physicist might want to explore entropy, and thus further break the second law of thermodynamics into its underlying principles and the assumptions that were made because of them.

“To understand is to know what to do.”

— Wittgenstein

Techniques for Establishing First Principles

If we never learn to take something apart, test our assumptions about it, and reconstruct it, we end up bound by what other people tell us is possible. We end up trapped in the way things have always been done. When the environment changes, we just continue as if things were the same, making costly mistakes along the way.

Some of us are naturally skeptical of what we’re told: Maybe it doesn’t match up to our experiences. Maybe it’s something that used to be true but isn’t true anymore. Or maybe we just think differently about something. When it comes down to it, everything that is not a law of nature is just a shared belief. Money is a shared belief. So is a border. So is Bitcoin. So is love. The list goes on.

There are two techniques we can use to change the level where we are looking at a situation, identify the first principles, and cut through the dogma and shared belief: Socratic questioning and the Five Whys.

Socratic Questioning

Socratic questioning can be used to establish first principles through stringent analysis. This a disciplined questioning process, used to establish truths, reveal underlying assumptions, and separate knowledge from ignorance. The key distinction between Socratic questioning and normal discussions is that the former seeks to draw out first principles in a systematic manner. Socratic questioning generally follows this process:

1. Clarifying your thinking and explaining the origins of your ideas (Why do I think this? What exactly do I think?)
2. Challenging assumptions (How do I know this is true? What if I thought the opposite?)
3. Looking for evidence (How can I back this up? What are the sources?)
4. Considering alternative perspectives (What might others think? How do I know I am correct?)
5. Examining consequences and implications (What if I am wrong? What are the consequences if I am?)
6. Questioning the original questions (Why did I think that? Was I correct? What conclusions can I draw from the reasoning process?)

This process stops you from relying on your gut and limits strong emotional responses. This process helps you build something that lasts.

“Because I Said So” or “The Five Whys”

Children instinctively think in first principles. Just like us, they want to understand what’s happening in the world. To do so, they intuitively break through the fog with a game some parents have come to hate.

“Why?”

“Why?”

“Why?”

Here’s an example that has played out numerous times at my house:

“It’s time to brush our teeth and get ready for bed.”

“Why?”

“Because we need to take care of our bodies, and that means we need sleep.”

“Why do we need sleep?”

“Because we’d die if we never slept.”

“Why would that make us die?”

“I don’t know; let’s go look it up.”

Kids are just trying to understand why adults are saying something or why they want them to do something.

The first time your kid plays this game, it’s cute, but for most teachers and parents, it eventually becomes annoying. Then the answer becomes what my mom used to tell me: “Because I said so!” (Love you, Mom.)

Of course, I’m not always that patient with the kids. For example, I get testy when we’re late for school, or we’ve been travelling for 12 hours, or I’m trying to fit too much into the time we have. Still, I try never to say “Because I said so.”

People hate the “because I said so” response for two reasons, both of which play out in the corporate world as well. The first reason we hate the game is that we feel like it slows us down. We know what we want to accomplish, and that response creates unnecessary drag. The second reason we hate this game is that after one or two questions, we are often lost. We actually don’t know why. Confronted with our own ignorance, we resort to self-defense.

I remember being in meetings and asking people why we were doing something this way or why they thought something was true. At first, there was a mild tolerance for this approach. After three “whys,” though, you often find yourself on the other end of some version of “we can take this offline.”

Can you imagine how that would play out with Elon Musk? Richard Feynman? Charlie Munger? Musk would build a billion-dollar business to prove you wrong, Feynman would think you’re an idiot, and Munger would profit based on your inability to think through a problem.

“Science is a way of thinking much more than it is a body of knowledge.”

— Carl Sagan

Examples of First Principles in Action

To better understand how first-principles reasoning works, let’s examine some examples.

Elon Musk and SpaceX

Perhaps no one embodies first-principles thinking more than Elon Musk. He is one of the most audacious entrepreneurs the world has ever seen. My kids (in grades 3 and 2) refer to him as a real-life Tony Stark, thereby providing a convenient opportunity for me to remind them that by fourth grade, Musk was reading the Encyclopedia Britannica, not Pokémon.

What’s most interesting about Musk is not what he thinks but how he thinks:

I think people’s thinking process is too bound by convention or analogy to prior experiences. It’s rare that people try to think of something on a first principles basis. They’ll say, “We’ll do that because it’s always been done that way.” Or they’ll not do it because “Well, nobody’s ever done that, so it must not be good. But that’s just a ridiculous way to think. You have to build up the reasoning from the ground up—“from the first principles” is the phrase that’s used in physics. You look at the fundamentals and construct your reasoning from that, and then you see if you have a conclusion that works or doesn’t work, and it may or may not be different from what people have done in the past.[4]

His approach to understanding reality is to begin with what is true, rather than relying on his intuition. The problem is that we don’t know as much as we think we do, so our intuition isn’t very good. We trick ourselves into thinking we know what’s possible and what’s not.

Musk’s approach is quite different.

He starts out with something he wants to achieve, like building a rocket. Then he starts with the first principles of the problem. Running through how Musk would think, Larry Page said in an

interview, “What are the physics of it? How much time will it take? How much will it cost? How much cheaper can I make it? There’s this level of engineering and physics that you need to make judgments about what’s possible and interesting. Elon is unusual in that he knows that, and he also knows business and organization and leadership and governmental issues.”[5]

Rockets are absurdly expensive, which is a problem because Musk wants to send people to Mars. And to send people to Mars, you need cheaper rockets. So he asked himself, “What is a rocket made of? Aerospace-grade aluminum alloys, plus some titanium, copper, and carbon fiber. And … what is the value of those materials on the commodity market? It turned out that the materials cost of a rocket was around two percent of the typical price.”[6]

Why, then, is it so expensive to get a rocket into space? Musk, a notorious self-learner with degrees in both economics and physics, literally taught himself rocket science. He figured that the only reason getting a rocket into space is so expensive is that people are stuck in a mindset that doesn’t hold up to first principles. With that, Musk decided to create SpaceX and see if he could build rockets from scratch.

In an interview with Kevin Rose, Musk summarized his approach:

I think it’s important to reason from first principles rather than by analogy. So the normal way we conduct our lives is, we reason by analogy. We are doing this because it’s like something else that was done, or it is like what other people are doing… with slight iterations on a theme. And it’s … mentally easier to reason by analogy rather than from first principles. First principles is kind of a physics way of looking at the world, and what that really means is, you … boil things down to the most fundamental truths and say, “okay, what are we sure is true?” … and then reason up from there. That takes a lot more mental energy.[7]

Musk then gave an example of how SpaceX uses first principles to innovate at low prices:

Somebody could say — and in fact people do — that battery packs are really expensive and that’s just the way they will always be because that’s the way they have been in the past. … Well, no, that’s pretty dumb… Because if you applied that reasoning to anything new, then you wouldn’t be able to ever get to that new thing…. you can’t say, … “oh, nobody wants a car because horses are great, and we’re used to them and they can eat grass and there’s lots of grass all over the place and … there’s no gasoline that people can buy….”

He then gives a fascinating example about battery packs:

… they would say, “historically, it costs $600 per kilowatt-hour. And so it’s not going to be much better than that in the future. … So the first principles would be, … what are the material constituents of the batteries? What is the spot market value of the material constituents? … It’s got cobalt, nickel, aluminum, carbon, and some polymers for separation, and a steel can. So break that down on a material basis; if we bought that on a London Metal Exchange, what would each of these things cost? Oh, jeez, it’s … $80 per kilowatt-hour. So, clearly, you just need to think of clever ways to take those materials and combine them into the shape of a battery cell, and you can have batteries that are much, much cheaper than anyone realizes.

BuzzFeed

After studying the psychology of virality, Jonah Peretti founded BuzzFeed in 2006. The site quickly grew to be one of the most popular on the internet, with hundreds of employees and substantial revenue.

Peretti figured out early on the first principle of a successful website: wide distribution. Rather than publishing articles people should read, BuzzFeed focuses on publishing those that people want to read. This means aiming to garner maximum social shares to put distribution in the hands of readers.

Peretti recognized the first principles of online popularity and used them to take a new approach to journalism. He also ignored SEO, saying, “Instead of making content robots like, it was more satisfying to make content humans want to share.”[8] Unfortunately for us, we share a lot of cat videos.

A common aphorism in the field of viral marketing is, “content might be king, but distribution is queen, and she wears the pants” (or “and she has the dragons”; pick your metaphor). BuzzFeed’s distribution-based approach is based on obsessive measurement, using A/B testing and analytics.

Jon Steinberg, president of BuzzFeed, explains the first principles of virality:

Keep it short. Ensure [that] the story has a human aspect. Give people the chance to engage. And let them react. People mustn’t feel awkward sharing it. It must feel authentic. Images and lists work. The headline must be persuasive and direct.

Derek Sivers and CD Baby

When Derek Sivers founded his company CD Baby, he reduced the concept down to first principles. Sivers asked, What does a successful business need? His answer was happy customers.

Instead of focusing on garnering investors or having large offices, fancy systems, or huge numbers of staff, Sivers focused on making each of his customers happy. An example of this is his famous order confirmation email, part of which reads:

Your CD has been gently taken from our CD Baby shelves with sterilized contamination-free gloves and placed onto a satin pillow. A team of 50 employees inspected your CD and polished it to make sure it was in the best possible condition before mailing. Our packing specialist from Japan lit a candle and a hush fell over the crowd as he put your CD into the finest gold-lined box money can buy.

By ignoring unnecessary details that cause many businesses to expend large amounts of money and time, Sivers was able to rapidly grow the company to $4 million in monthly revenue. In Anything You Want, Sivers wrote:

Having no funding was a huge advantage for me.
A year after I started CD Baby, the dot-com boom happened. Anyone with a little hot air and a vague plan was given millions of dollars by investors. It was ridiculous. …
Even years later, the desks were just planks of wood on cinder blocks from the hardware store. I made the office computers myself from parts. My well-funded friends would spend $100,000 to buy something I made myself for $1,000. They did it saying, “We need the very best,” but it didn’t improve anything for their customers. …
It’s counterintuitive, but the way to grow your business is to focus entirely on your existing customers. Just thrill them, and they’ll tell everyone.

To survive as a business, you need to treat your customers well. And yet so few of us master this principle.

Employing First Principles in Your Daily Life

Most of us have no problem thinking about what we want to achieve in life, at least when we’re young. We’re full of big dreams, big ideas, and boundless energy. The problem is that we let others tell us what’s possible, not only when it comes to our dreams but also when it comes to how we go after them. And when we let other people tell us what’s possible or what the best way to do something is, we outsource our thinking to someone else.

The real power of first-principles thinking is moving away from incremental improvement and into possibility. Letting others think for us means that we’re using their analogies, their conventions, and their possibilities. It means we’ve inherited a world that conforms to what they think. This is incremental thinking.

When we take what already exists and improve on it, we are in the shadow of others. It’s only when we step back, ask ourselves what’s possible, and cut through the flawed analogies that we see what is possible. Analogies are beneficial; they make complex problems easier to communicate and increase understanding. Using them, however, is not without a cost. They limit our beliefs about what’s possible and allow people to argue without ever exposing our (faulty) thinking. Analogies move us to see the problem in the same way that someone else sees the problem.

The gulf between what people currently see because their thinking is framed by someone else and what is physically possible is filled by the people who use first principles to think through problems.

First-principles thinking clears the clutter of what we’ve told ourselves and allows us to rebuild from the ground up. Sure, it’s a lot of work, but that’s why so few people are willing to do it. It’s also why the rewards for filling the chasm between possible and incremental improvement tend to be non-linear.

Let’s take a look at a few of the limiting beliefs that we tell ourselves.

“I don’t have a good memory.” [10]
People have far better memories than they think they do. Saying you don’t have a good memory is just a convenient excuse to let you forget. Taking a first-principles approach means asking how much information we can physically store in our minds. The answer is “a lot more than you think.” Now that we know it’s possible to put more into our brains, we can reframe the problem into finding the most optimal way to store information in our brains.

“There is too much information out there.”
A lot of professional investors read Farnam Street. When I meet these people and ask how they consume information, they usually fall into one of two categories. The differences between the two apply to all of us. The first type of investor says there is too much information to consume. They spend their days reading every press release, article, and blogger commenting on a position they hold. They wonder what they are missing. The second type of investor realizes that reading everything is unsustainable and stressful and makes them prone to overvaluing information they’ve spent a great amount of time consuming. These investors, instead, seek to understand the variables that will affect their investments. While there might be hundreds, there are usually three to five variables that will really move the needle. The investors don’t have to read everything; they just pay attention to these variables.

“All the good ideas are taken.”
A common way that people limit what’s possible is to tell themselves that all the good ideas are taken. Yet, people have been saying this for hundreds of years — literally — and companies keep starting and competing with different ideas, variations, and strategies.

“We need to move first.”
I’ve heard this in boardrooms for years. The answer isn’t as black and white as this statement. The iPhone wasn’t first, it was better. Microsoft wasn’t the first to sell operating systems; it just had a better business model. There is a lot of evidence showing that first movers in business are more likely to fail than latecomers. Yet this myth about the need to move first continues to exist.

Sometimes the early bird gets the worm and sometimes the first mouse gets killed. You have to break each situation down into its component parts and see what’s possible. That is the work of first-principles thinking.

“I can’t do that; it’s never been done before.”
People like Elon Musk are constantly doing things that have never been done before. This type of thinking is analogous to looking back at history and building, say, floodwalls, based on the worst flood that has happened before. A better bet is to look at what could happen and plan for that.

“As to methods, there may be a million and then some, but principles are few. The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble.”

— Harrington Emerson

Key Takeaways

First principles thinking is the art of breaking down complex problems into their most fundamental truths.

By reasoning from first principles, we identify root causes, strip away layers of complexity, and focus on the most effective solutions. It allows us to step outside the way things have always been done and, instead, see what is possible.

First principles thinking is not easy. It requires a willingness to challenge the status quo. That’s why it’s often the domain of rebels and misfits who believe there must be a better way. It’s the mindset of those willing to start from scratch and build from the ground up.

In a world focused on incremental improvement, first-principles thinking offers a competitive advantage because it is not widely practiced.