Is HIPAA Creating More Problems Than It's Preventing?

Neil Chesanow


September 16, 2013

In This Article

What Can You Disclose, and to Whom?

According to HHS, the agency responsible for enforcing HIPAA, "The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient's care or payment for care."[1]

The only exception is if the patient objects.

Rodriguez offered these examples:

A nurse can discuss a patient's medical condition in front of the patient's sister, who accompanies the patient to an appointment;

A pharmacist can give an individual's prescription to a friend whom the individual sends to pick up the prescription;

If a patient is unconscious or otherwise is incapacitated, the doctor can share information with family members or friends if the doctor determines, on the basis of professional judgment, that doing so would be in the patient's best interest.

"We designed the rule as much as possible to not get between doctor and patient concerning what the doctor needs to do to treat that patient," says HHS's Susan McAndrew. "We're not in the business of the actual practice of medicine. The rule goes to great lengths to avoid any limitation on communications between the individual and the doctor and the doctor and others as is necessary to provide quality treatment."

Why There's So Much Dislike of the Privacy Rule

Why do so many doctors and patients think that HIPAA is a huge pain? How did the belief that HIPAA put severe restrictions on what a doctor could say take root?

One source was lawyers and risk managers at hospitals and other healthcare institutions who stressed the legal and financial consequences of failing to comply with HIPAA regulations, in particular the Privacy Rule.

Legislation regarding HIPAA and privacy was often vague and subject to legal interpretation. In the absence of clarity and in the interest of self-protection, organizational privacy policies commonly ascribed to HIPAA often went way beyond any actual strictures on communication between doctors and their patients' caregivers, family, and friends.

"A lot of people overthink HIPAA and try to take it to extremes," says Ronald B. Sterling, MBA, President of Sterling Solutions, a health technology consultant in Silver Spring, Maryland.

"People don't really understand what HIPAA says, and they act on what they think it says, or what they think it might say, or what conceivable bad things could happen if you do A or B," Rothstein observes.

As a result, staff training on HIPAA compliance commonly went overboard in interpreting privacy concepts expressed in the law and sent a clear message to doctors, nurses, and other staffers: "If you want to be safe, don't tell anyone anything," the United Hospital Fund's Carol Levine testified. "This training was not so much about protecting patients as protecting oneself and the institution," she said. "The result was what has been called a 'HIPAA scare,' a situation in which even patients were not given information about their condition because of fears that the nurse or doctor would get into trouble."

One professional in the United Hospital Fund's Transitions in Care Quality Improvement Collaborative told Levine that in her organization, even asking a patient whether a family member helps him or her at home is considered a HIPAA violation.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.