Is HIPAA Creating More Problems Than It's Preventing?

Neil Chesanow


September 16, 2013

In This Article

What Can You Reveal, What Do You Risk?

If you have similar concerns, here's some surprising information:

Susan McAndrew, JD, Deputy Director for Health Information Privacy at the Department of Health and Human Services (HHS), which oversees HIPAA, says that it's okay for Rosenberg to send reports to patients by snail mail, even if someone else inadvertently opens the envelope when a report arrives.

It's okay for Mintz to communicate with his patients by unsecure email, although he should exercise some professional judgment as to how much confidential information to reveal in an email that could in theory be hacked, McAndrew says.

It's even okay for Auwaerter to update family and friends on the patient's condition without filling out any special paperwork -- especially if the patient has given his or her permission, but even if the patient is incapacitated and unable to.

"HIPAA is cool with friends and family," McAndrew says.

Nor need Auwaerter be concerned about the threat of substantial -- or any -- fines for making an innocent mistake, says McAndrew. The fines for committing HIPAA violations have indeed been substantially raised, but this was intended as a shot across the bow of large healthcare organizations with repeated HIPAA security and privacy violations, not individual doctors acting with the best of intentions on a patient's behalf.

In fact, far from handing out penalties right and left, the Office for Civil Rights (OCR) at HHS has imposed only 13 monetary "Resolution Agreements" (ie, fines) out of approximately 80,000 complaints that it has received since the HIPAA Privacy Rule went into effect in 2003, testified Leon Rodriguez, JD, Director of OCR, at a congressional subcommittee hearing on HIPAA last April.

Rodriguez further emphasized that the OCR normally reserves significant monetary sanctions for ongoing failures to comply with sets of HIPAA rules, not to penalize single violations that are identified and resolved quickly. "The OCR largely concentrates its enforcement efforts on large, systemic failures to comply with the HIPAA rules," he said.

What if an unconscious patient wakes up in the hospital and takes umbrage that a doctor, using his or her professional judgment, revealed her condition to a visiting relative but the patient didn't want the relative to know?

At the same hearing, Carol Levine, MA, Director, Families and Health Care Project at the United Hospital Fund in New York, pointed out that "an individual who believes that protected health information has been inappropriately disclosed has no legal recourse under HIPAA other than a complaint to OCR."

Nor can you be sued for a HIPAA violation. "Although HIPAA creates a right to privacy," Levine said, "there is no right to sue a doctor, nurse, or hospital. The individual can file a lawsuit under state law alleging violation of privacy and would bear the burden of proving harm, but HIPAA would not be a factor."


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.