Is HIPAA Creating More Problems Than It's Preventing?

Neil Chesanow


September 16, 2013

In This Article

What Should Be Done With HIPAA?

Perceived problems with doctor/patient communication ascribed to HIPAA, as well as a host of other complaints arising out of intrinsic problems with the legislation (such as its negative impact on biomedical research), have caused thought leaders from every quarter of healthcare to call for key changes and major streamlining efforts. However, even those who believe most ardently that HIPAA is in need of revision also feel that the law fulfills a real societal need.

"The great thing about HIPAA is the extent to which it has produced a heightened awareness of and need for patient privacy," says pathologist George D. Lundberg, MD, Editor-in-Chief of CollabRx, a healthcare data analytics firm in San Francisco, and Medscape's Editor at Large. "I grew up in a time when family members and almost anybody else could learn all sorts of things about individual patients simply by riding an elevator in a hospital, where doctors would be talking quite freely about what's going on with Mrs. Jones, and anybody and their brother could hear and figure out who that was. I thought that was awful."

Mark A. Rothstein, JD, Herbert F. Boehl Chair of Law and Medicine and Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine in Kentucky, also remembers "the good old days before the HIPAA Privacy Rule, when it was very common for ob/gyns to sell lists of all their pregnant patients to marketers," he says. "Back then, the 50 states had weak, ineffective, often conflicting privacy laws, and only about half of them granted patients the right of access to their own medical records."

Without HIPAA, Rothstein cautions, "we'd be back to self-policing by healthcare enterprises -- the same ones that, even under HIPAA rules, can't manage to avoid having snoops and hackers look at the records of celebrity patients when they're staying in their institutions, and that can't get across to people that it's not a good idea to take unencrypted patient information home on their laptops or mobile devices."

What the Privacy Rule Actually Permits You to Do

HIPAA was enacted in 1996. Its intent was to improve the efficiency and effectiveness of the healthcare system by promoting the electronic exchange of health information for administrative and financial transactions, such as submitting claims for treatment provided or determining insurance eligibility.

"At the same time," Rodriguez explained in his testimony, "without proper oversight, advances in electronic technology could erode the privacy and security of health information. To address this, HIPAA requires that certain providers, health plans, and healthcare clearinghouses adopt federal privacy and security protections."

The HIPAA Privacy Rule, finalized in 2003 and revised several times since, was meant to sort out the problems inherent in 50 conflicting sets of state privacy laws by offering uniform national standards for healthcare privacy.

The Privacy Rule requires that organizations and people within the commercial health insurer or federal payment system, known as "covered entities," have safeguards in place to ensure the privacy of patients' identifiable health information. The rule also details the circumstances in which covered entities may use or disclose an individual's health information, and it gives patients the right to examine and obtain a copy of their health records and to request corrections, Rodriguez said.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.