HIPAA Documents

HIPAA was designed to allow Americans to take their health insurance coverage with them when they changed jobs, with provisions to keep medical information confidential. But new studies have found that some health care providers apply HIPAA regulations overzealously, leaving family members, caretakers, public health and law enforcement authorities stymied in their efforts to get information.

Experts say many providers do not understand the law, have not trained their staff members to apply it judiciously, or are fearful of the threat of fines and jail terms — although no penalty has been levied in four years.

Some reports blame the language of the law itself, which says health care providers may share information with others unless the patient objects, but does not require them to do so. Thus, disclosures are voluntary and health care providers are left with broad discretion.

Government studies show there is widespread frustration with HIPAA, an unintended consequence of the 1996 law.

Mr. Rothstein, chairman of a privacy subcommittee that advises the Department of Health and Human Services, which administers HIPAA is one of HIPAA’s harshest critics and has led years of hearings across the country. Transcripts of those hearings, and accounts from hospital administrators, patient advocates, lawyers, family members, and law enforcement officials offer an anthology of HIPAA misinterpretations, some alarming, some annoying:

  • Birthday parties in nursing homes in New York and Arizona have been canceled for fear that revealing a resident’s date of birth could be a violation.
  • Patients were assigned code names in doctor’s waiting rooms — say, “Zebra” for a child in Newton, Mass., or “Elvis” for an adult in Kansas City, Mo. — so they could be summoned without identification.
  • Nurses in an emergency room at St. Elizabeth Health Center in Youngstown, Ohio, refused to telephone parents of ailing students themselves, insisting a friend do it, for fear of passing out confidential information, the hospital’s patient advocate said.
  • A daughter from Oklahoma had to drive twenty-two hours to her mother’s bedside at a hospital in Tampa, Florida to determine her mother’s condition because the nurse would not give out the information over the phone.
  • A man was told that he could not stay with his father-in-law while the elderly man was being treated after a stroke.
  • State health departments throughout the country have been slowed in their efforts to create immunization registries for children, because information from doctors no longer flows freely.
Susan McAndrew, deputy director of health information privacy at the Department of Health and Human Services, said that problems were less frequent than they once had been but that health care providers continued to hide behind the law. “Either innocently or purposefully, entities often use this as an excuse,” she said. “They say ‘HIPAA made me do it’ when, in fact, they chose for other reasons not to make the permitted disclosures.”

Safeguarding electronic privacy required a tangle of additional regulations issued in 2003, followed last year by 101 pages of “administrative simplification.”

Ms. McAndrew explained some of the do’s and don’ts of sharing information:

Medical professionals can talk freely to family and friends, unless the patient objects. No signed authorization is necessary and the person receiving the information need not have the legal standing of, say, a health care proxy or power of attorney. As for public health authorities or those investigating crimes like child abuse, HIPAA defers to state laws, which often, though not always, require such disclosure. Medical workers may not reveal confidential information about a patient or case to reporters, but they can discuss general health issues.

Ms. McAndrew said there was no way to know how often information was withheld. Of the 27,778 privacy complaints filed since 2003, the only cases investigated, she said, were complaints filed by patients who were denied access to their own information, the one unambiguous violation of the law.

(Excerpts taken from a New York Times article which appeared in the July 3rd, 2008 paper)


400 W. Midland Ave., Suite 201| Woodland Park, CO 80866 | Ph: 719-686-9700 | Fax: 719-686-9701