How HIPAA Can Harm Patients

Andrew N. Wilner, MD


April 23, 2021


I recently became aware of a case where a medical intern correctly performed a procedure but on the wrong patient. Intended for the patient in room 501, the patient in room 510 received it. Whoops! Unfortunately, medical errors due to mistaken identity are not rare.

A Perfect Storm

How did it happen? The medical error triggered an administrative inquiry, required by law in many states. As usual, when a major accident occurs (eg, a plane crash, a power outage, a ship stuck in the Suez Canal), a perfect storm of factors contributed.

First, the doctor had just begun his rotation and didn't know the patients. Second, there were more patients than usual. Third, both patients in rooms 501 and 510 were confused and didn't know their own names. (Patients are often too ill, injured, or disabled to speak up for themselves.) Fourth, due to COVID-19 visitor restrictions, no family members were present. Fifth, the nurse was overwhelmed with too many patients to notice the error. Sixth, no formal "time out" protocol was followed (see below).

Luckily, other than the inconvenience and discomfort, the patient suffered no permanent injury. The young doctor, however, continues to suffer guilt over his error.

'Never Events' and the Intent of HIPAA

All six factors contributed to this "never event," a test or procedure on the wrong patient that should never occur. To eliminate never events such as "wrong patient, wrong site," surgeons routinely employ Joint Commission–mandated "time out" protocols in the operating room. Hospitalization presents many opportunities for wrong-patient errors by physicians, other caregivers, and administrative employees.

According to a Veterans Administration training manual, "All patients expect to and deserve to receive medical care that is free from errors or preventable harm. However, due to the complexity of our nation's health care systems, it is not uncommon for errors to occur." The ECRI Institute collected 7613 wrong-patient events from 181 healthcare organizations that occurred in less than 2 years.

A contributing factor to wrong-patient errors is a misguided emphasis on patient privacy related to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The legislation has many aspects, but its primary intent is to ensure that patients do not lose health insurance between jobs. The HIPAA Privacy Rule, enacted in 2000, recognized that computerized health records pose a risk for inappropriate access. Consequently, the law defined "Protected Health Information (PHI)" and rules for its distribution.

HIPAA protects the information that doctors, nurses, and other healthcare providers place in the medical record, guarding patient privacy with the full force of federal law. Only those who require the information for patient care (or billing) can access it. Violation of HIPAA can result in fines up to $50,000 per incident and 10 years in prison.

Patient Privacy

Patient privacy is hardly a new concept. It dates back at least to Hippocrates! Here's what he had to say in his storied and eponymous oath:

Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.

Many people prefer to keep details of their physical and mental health confidential. Frankly, I used to feel the same way. However, I've learned that excessive emphasis on privacy can lead to unwelcome unintended consequences.

Excessive privacy protection may impair patient safety. For example, when I was a medical student (more than a decade before HIPAA), patient names were prominently displayed on their charts and rooms. To safeguard patient privacy, this is no longer the case. In day-to-day practice, nurses and other healthcare providers resort to identifying patients by their room number, the root cause of the error that triggered this commentary.

Who's on First?

While it might appear that identifying patients by room number makes sense, in practice, it doesn't. Take this patient, who spent 5 days in the hospital:

Our patient begins her hospital journey in the ER, a visit prompted by cough and fever (Room #1). A few hours later, the ER doctor admits her to the medical ward (Room #2). A disruptive patient has to be moved closer to the nurses' station, so he switches rooms with our patient (Room #3). Because our patient has changed rooms, she has not received the medication prescribed in the ER a few hours prior and develops shortness of breath.

No one notices her distress because she is in a private room far from the nurses' station, and the nurses are busy during a shift change. When finally discovered, the patient is gasping for air. The rapid response team arrives, intubates her, and transfers our patient to the ICU (Room #4). After a couple of days in the ICU, she improves and goes to a step-down unit for another 2 days (Room #5). She continues to do well and returns to the medical ward (Room #6).

That's six rooms in 5 days, an average of 1.2 rooms per day. After a blessed recovery, the patient returns home. Her only complaint is a bit of dizziness, perhaps related to her new medications, transient cerebral hypoxia, and frequent room changes.

To comply with HIPAA, doctors' offices and hospitals typically refuse to share medical records with other healthcare providers without a "release of information." While this policy protects patient privacy, obtaining such releases is often time-consuming or impractical. The frequent result is that the records arrive too late or never, doctors repeat tests and procedures unnecessarily, and patient care suffers.

Wasted Time and the Misinterpretation of HIPAA

To make matters worse, lack of "prior authorization" may obstruct a relative's attempts to learn of a patient's condition. I vividly remember one rainy night as I frantically drove to the hospital to attend to my elderly father, who had been abruptly admitted to the ICU. On my way, I called the nurses' station to inquire about his condition. The duty nurse informed me that she could not share that information because my father had not signed a release of information. When I finally arrived at the hospital, my father was hypotensive, barely conscious, and at death's door. He was in no condition to sign a release!

In fact, no release was needed. The nurse had misinterpreted HIPAA guidelines, which state that hospitals may release patient information when a caller identifies the patient by name. Sadly, misinterpretation of HIPAA guidelines frequently occurs that deprives caregivers, families, and law enforcement of vital information. Overinterpretation of HIPAA can also impede clinical research by limiting data transfer.

Computerized documentation demands limit direct patient contact for healthcare providers. One feature of electronic medical records (EMRs) that increases documentation time and frustration is patient safety programming. To prevent prying eyes, EMRs promptly shut down when unattended. The practical consequence for nurses, physicians, and other healthcare providers is a colossal waste of time.

Here's a real-life example. A nurse checks a patient's EMR for a medication order. She enters the room to ask if the patient has any allergies. The patient says no. The nurse returns to the chart to check the dose. The EMR has shut down. The nurse enters her ID and password and waits for the EMR software to start back up. While waiting, another nurse asks for her assistance and she goes to help. Upon her return, the EMR has shut down again. When it restarts, the nurse realizes that she doesn't know the patient's full name and can't locate the patient in the EMR.

While she searches for a colleague who knows the patient's full name and birthdate, the EMR shuts down again. Finally, armed with the correct name and date of birth, the nurse logs back in, finds the chart, and reads the dosage. When she enters the patient's room, the patient complains that she's been waiting a long time for her medication. The nurse patiently explains the delay. After administering the medication, the nurse returns to chart the dose, but the EMR has shut down again. She enters her ID and password and waits.

Nurses and other healthcare providers submit to this dance countless times a day. This incredible inefficiency exists to protect patient privacy. Next time you are hospitalized and press the nurse call button without response, HIPAA may be the culprit.


Although well intended, HIPAA may do more harm than good. While no one should rummage around medical records without good reason, an exaggerated emphasis on patient privacy facilitates medical errors and results in staggering inefficiencies. Medical administrative systems should not waste time or set healthcare providers up for mistakes.

As my age advances, so does the likelihood of severe illness and hospitalization. When that happens, tape my name to the door and tattoo it on my wrists and chest. Please don't let mistaken identity cause unnecessary pain, suffering, or my untimely demise.

Don't hesitate to share my medical misfortune! Cards, flowers, gifts, and visitors are welcome, as are social media posts. Let everyone know where I am, because hey, I don't want to miss out on one scintilla of sympathy or a kind word in anyone's prayers.

Don't worry about my privacy. I gave my permission, so the Privacy Rule doesn't apply.

And as a small irony, the patient details herein are fictionalized to comply with HIPAA.

Andrew N. Wilner, MD, is a professor of neurology at the University of Tennessee Health Science Center in Memphis, Tennessee.

Follow Medscape on Facebook, Twitter, Instagram, and YouTube


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.