Is HIPAA Creating More Problems Than It's Preventing?

Neil Chesanow


September 16, 2013

In This Article

The Problem of Mental Health Patients and Caretakers

Not all of the problems with the Privacy Rule stem from overreactions to what the law actually says. One genuine problem with the law itself is in its seemingly commonsensical stipulation that it's okay to share patient information with family and friends unless the patient objects.

"The concerns are particularly those of teenagers and young adults, who are dependent on their parents at least to some level," Congressman Murphy, a clinical psychologist, explains. "The emergence of some psychiatric illnesses between ages 14 and 25 years, such as severe schizophrenia, bipolar illness, and depression, occurs at the very time when a person is conflicted with even understanding their own personal issues, including severe mental illness. So if someone is saying, 'I don't want information released because I'm not sick; I do not have a problem,' that sometimes is the very nature of the problem itself."

Yet because "unless the patient objects" appears in the Privacy Rule without qualification, many doctors and institutions feel that they have no choice but to interpret it literally, which can have tragic results. "We have about 750,000 suicide attempts in this country every year," Murphy points out, "and there were about 38,000 suicides last year. I have to believe that in many of those cases, people knew something and didn't pass it on. We have to wonder what would have happened if that communication had taken place."

Last February, Murphy sent a letter to HHS Secretary Kathleen Sebelius on a related problem: the constraints some state and local governments feel under the Privacy Rule on sharing the mental health records of potentially violent patients with the FBI's National Instant Criminal Background Check System (NICS), which surfaced as an issue in the wake of the Newtown, Connecticut, tragedy.

"As you aware, it is unlawful for individuals who have been involuntarily committed to a mental health facility or adjudicated by a court as mentally ill to possess a firearm," Murphy wrote. Yet "several states, as well as the District of Columbia, did not provide mental health records to NICS over concerns that providing such records violates the HIPAA Privacy Rule."

Another special case is when patients, who are often elderly, don't want family members to know about their condition because they don't want to cause any alarm or be a bother, even though the patients often have chronic conditions and require a caretaker's help.

Under the Privacy Rule, a patient who has reached the age of majority has the final word on whether his or her health information can be shared, regardless of special circumstances, whether it be a doctor's "duty to warn" in the case of a potentially suicidal or homicidal patient or sharing information about patient care with a dependent patient's caregivers when the patient has technically declined.

Does HIPAA Interfere With Biomedical Research?

Problems with the Privacy Rule aren't limited to doctor/patient communication. The rule has interfered with the scope, pace, and cost of biomedical research, critics charge.

"The Privacy Rule creates obstructions most significantly in research requiring access to stored tissues, genetic datasets, patient registries, and data warehouses and medical records," a report by the Association of Academic Health Centers concludes.[2] "These types of information are often crucial in conducting population-based research, which is often at the cutting edge of genomics and studies investigating the causes of life-threatening illnesses, such as cancer and heart disease."

"For the results of population-based research to be robust and scientifically credible, access to medical records or information from thousands of patients is required," the report continues. "The Privacy Rule has rendered obtaining this type of data an arduous and often insurmountable task."[2]

The privacy problems that frustrate biomedical researchers often recapitulate the privacy problems that frustrate patients and their families and friends. They are blamed on HIPAA, but they may actually result from overinterpretations of HIPAA on the part of Institutional Review Boards (IRBs).

Under US Food and Drug Administration regulations, IRBs have the authority to approve, require modifications in, or disapprove research, with an eye toward protecting the rights and welfare of human research subjects. Because IRBs are most commonly found in academic medical centers that are clinical trial sites, they tend to be subject to the same overly stringent hospital privacy policies, ascribed to HIPAA, that make sharing protected patient information so challenging in many other situations not intended by HIPAA.

"If you're a researcher and want to do large population studies on a massive scale based on medical records with identifiable patient information, you need to have your IRB give you both a waiver of the common rules of informed consent and a waiver of the HIPAA authorization," HHS's McAndrew explains. "HIPAA does allow these kinds of massive data transfers pursuant to these waivers."

"This is not really a HIPAA problem that I see," McAndrew says. "It's a problem with IRBs. That's really an internal researcher issue."

Responding to complaints from researchers that the copious paperwork research subjects are required to complete in the name of HIPAA is a disincentive to their participation in clinical trials, "we have always allowed the researcher to combine the authorization they need from the individual under HIPAA with the informed consent that they need under the Common Rule," McAndrew says. "If the researcher wanted to, he or she could always have that done in a single document, so the patient doesn't have to be given reams of paper to fill out."

McAndrew says that the Omnibus Final Rule, the first major revision to the Privacy Rule in 10 years, enforcement of which begins on September 23, "has also reduced the number of documents that must be presented to the patient to recruit that individual into a research protocol."

The Omnibus Rule Makes More Breaches Likely

While the HIPAA Omnibus Rule addresses some problems with HIPAA, it also creates new problems, experts assert. The new regulations arose from a perceived need to ensure the confidentiality, integrity, and security of patients' protected health information in electronic health records and other electronic formats. To this end, the Omnibus Rule significantly modifies privacy and security standards under HIPAA, expanding many existing regulations and increasing the penalties for violations of patient privacy, with a maximum fine of $1.5 million.

"The Omnibus Rule really lowers the bar for what it takes to be a breach of patient confidentiality," says Ronald Sterling, the health technology consultant. "Under the original HIPAA legislation -- and it continued with HITECH [the 2009 Health Information Technology for Economic and Clinical Health Act, which strengthened and expanded HIPAA's privacy and security requirements] -- there had to be financial or reputational harm to the patient for unauthorized viewing of protected information to be a breach of privacy. Now a breach is just if the information is compromised, whether there's harm or not. When you lower the bar like that, it will create a lot more incidents that will become problems."


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.