Thanks, HIPPA!

Overlawyered: More medical privacy madness
Read these and wonder. Hospitals aren’t run by idiots (despite your experience with the billing office); they’re run by very very smart people who are increasingly risk-avoidant. And, when then risks of divulging the wrong information include whopping fines and jail time, guess what? They’re going to be as circumspect as possible.

Thank your congress, not your hospital, for this crap.


  1. You confuse the penalty for deliberate violations with the rather lower penalty for unintentional violations ($250 fine). But let’s consider the three cases:

    1) This information should be kept private. If the parents of the dead child want their identity known, they can call the media themselves. The doctor should not identify specific patients for public spectacle unless there is an overwhelming public safety need. HIPAA applies and was correctly interpreted.

    2) Again, the actual rules being enforced are quite reasonable. Strangers are not permitted to wander the halls and intrude on patients. Genuine visitors known to the patients were not kept out, nor were patients that were interested in receiving guests like Santa denied a visit. It helps to read the original articles. This is a reasonable privacy practice that is generally welcomed by patients. They get enough strangers wandering around their sick room. At least this limits the strangers to medical staff and invited guests. (HIPAA does not require this, but does require that the hospital think about privacy considerations.)

    3.) Failure to inform the family is not HIPAA driven. Family is explicitly listed as people who should be informed. Fifth cousin N times removed does not count, but in this case it was close family that should have been informed unless the patient specifically asked that they not be informed. The hospital was just dreaming up excuses to cover their incompetence.

  2. I haven’t confused anything. The line between “deliberate” and “unintentional” is vague at best, and the accused will not get their day in court, they’ll just get fined by the HIPPA enforcers.

    ‘Only’ a $250 fine? Along with all the other PC BS you’d have to go through? (Mandatory training sessions, “he’s the one that was fined for giving out the wrong information”). I now have a policy of not discussing anything with anyone outside the patients’ room. It makes the family uncomfortable, and I’m sorry about that, but since I have no control over who complains about what and am guilty until proven innocent, that’s the way it is.

  3. I think you are over-reacting. Check the HIPAA site at . For example, under “incidental disclosure” you find as a specific example of “reasonable safeguards” the practice of speaking quietly when discussing a patients condition with the family in waiting rooms or other public areas. This is from the official HIPAA enforcement agency.

    There is also clear evidence of fear mongerers at work in some of the questions asked, like whether special soundproofing is needed for rooms. The answer is NO. They note that furniture placement, signs, and floor markings can be used to create quiet areas for private conversations; but HIPAA does not require special construction.

    As for the fine:
    a) It requires a hearing before an administrative law judge to impose any fine. This can be appealed, etc.
    b) The fine is on the covered entity. Although there is complexity between employee, partners, PCs, subcontractors, etc. it is unlikely that you are the covered entity.

    The real targets for enforcement are two-fold:
    1) Various forms of personal vengence activity, like the hospital employee who obtained lists of AIDS patients and published them (complete with address and phone information) on the Internet and in neighborhood fliers. Unhappy hostile divorces have been a large source of such activity.
    2) Illegal marketing activity, like the hospital that sold patient records to drug companies for use in direct mail and telemarketing activity.

  4. I suppose my real frustration has to do with another set of regulations to deal with, daily, and to worry about the vagaries of the system.

    Should egregious volators be punished? Yes, without a doubt.

    However, that’s a billionth of a percent of medical interactions, which now have entire squadrons of people trying to regulate every single minute and aspect of my interactions with patients. It’s frustrating as hell.

  5. Oh, and I really do value your knowledgable and insightful posts! Thanks for visiting!

  6. John Anderson says:

    Maybe the Santa visit, but what about the others?

    In particular:
    Man goes walking to local store, gets struck by hit-and-run, dies in hospital.
    Hospital does not call family for fear of HIPAA and lawsuits. When called, will neither confirm nor deny his presence – same reasoning.
    Family files missing persons report.
    Police say it is not their responsinility to check missing persons against (computerized!!!) hospital or morgue records.
    Family gets bill for services. Funny that accountants can find them to get money, noone else can…

  7. HIPPA is an inpenatrable obstacle to those who cannot afford a lawyer to obtain files of DECEASED loved ones. My dead ex-husband and I may have been exposed to something since the onset of my symptoms and his death were within a few months of eachother after meeting at a factory?We had similar lab findings. Without a second mortgage and a lawsuit, I cannot hope to get answers to serious on-going health concerns.

  8. Remember that people are human. There is a great deal of fear, ignorance, greed, and incompetence surrounding HIPAA. Also, as humans, there is a tendency to find excuses and make rationalizations when a mistake is uncovered and made public. I don’t know which are in effect in the WaPo situation, but if HIPAA permitted a bill it permitted notification.

    Human behavior is also a major part of the motivation for HIPAA privacy regulations. A long time ago physicians records were tightly controlled and access was limited to doctors and staff who took their Hippocratic oath seriously. Now they are computerized and became readily available to thousands of clerks, marketeers, salesmen, and others who felt no Hippocratic duty and had no connection to the patients. Privacy violations were becoming widespread, not “a billionth of a percent”. So now regulations are needed.

    The possible disease cluster situation is more interesting. In hostile divorces there are often malicious efforts to obtain the other’s medical records. So the healthcare provider is quite right to refuse records without proper authorization, especially to an ex-spouse. They should not be the arbiter of marital disputes. The death of one party does not always end these disputes. The healthcare providers depend on the courts to settle these issues and authorize releases when the parties involved cannot resolve the issues.

    There is a mechanism for physicians and public health officials to examine potential disease clusters without violating personal privacy (through techniques such as third party examination of records and record anonymization). You can try using a physician if there is a potential public health risk. If there is no way to persuade an authorized person (e.g. family member) to release the information that you want, and the public health authorities are not willing to investigate, then you do need to involve the courts.