Is HIPAA Creating More Problems Than It's Preventing?

Neil Chesanow


September 16, 2013

In This Article

Additional Problems That Should Be Addressed

On August 26, JAMA published an opinion piece by 2 researchers at Stanford University School of Medicine on a host of problems with HIPAA that need to be addressed.[3] Among them were technical and implementation challenges of complying with HIPAA rules; administrative and regulatory barriers created by the Omnibus Rule; the legal chain of accountability, costs, and penalties specified by the rule, which affect relationships with vendors with whom even doctors in small practices regularly deal; and complications involving the technological use of protected information.

In addition, security complications created by the advent and rapid proliferation of mobile health apps and devices remain to be addressed. Some 97,000 apps and devices are currently available.[4] A growing number, ranging from blood pressure cuffs, to blood glucose monitors, to iPhone®-enabled electrocardiographs, have remote capabilities, which may allow them to wirelessly connect with an EHR at a distant location to download patient data.

However, enhanced mobility and remote access to protected patient information make implementing the security safeguards required by the Omnibus Rule a challenge, both to app/device designers and to healthcare organizations and providers that use their products, making an information breach more likely.

Other problems exist too. For example, HIPAA is not a comprehensive patient privacy law in that it doesn't cover everyone in healthcare who may have access to protected patient information, Mark Rothstein points out. It only covers people and organizations within the traditional insurance-based healthcare system. It does not cover entities, including concierge and cash-only practices, which do not take insurance. Doesn't this patient information need protection as well?

But even those with qualms about parts of HIPAA acknowledge its basic effectiveness. "The bottom line is that HIPAA has been a pretty successful program, from the perspective of establishing a baseline so that people don't have to deal with all the differences in patient privacy laws in the various states," Sterling concedes.

Even Rothstein, who chaired a statutory public advisory committee to the Secretary of HHS on health information policy from 1999-2008, and who has been a prominent critic of HIPAA, hastens to add that "I think we need to amend HIPAA, but I think it would be a terrible mistake to just get rid of it."

Can HIPAA Be Fixed?

Efforts to educate physicians on what is permissible in doctor/patient/family communication under HIPAA are in progress. HHS has a helpful Webpage for doctors and other providers that summarizes the HIPAA Privacy Rule in plain English.

Specialty societies have a key role to play in spreading the word. The AMA has a Webpage for doctors, Frequently Asked Questions about HIPAA, that clears up much confusion about what can and can't be said, and to whom.

As part of its new outreach effort, OCR has partnered with Medscape to offer a 23-minute slideshow for continuing medical education credit, Patient Privacy: A Guide for Providers. In this slideshow, moderated by OCR Director Leon Rodriguez, a range of privacy issues are discussed and clarified.

But much more needs to be done. For example, "the Centers for Medicare & Medicaid Services should urge hospitals and other covered entities to review their policies and practices to merge privacy considerations with good clinical care," Carol Levine asserts. "They should also develop simple statements for patients and families about the protections in place for the security of data and how their data will be shared with other organizations."


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.