Are Patient Privacy Laws Being Abused to Protect Medical Centers?


This story was co-published with NPR’s “Shots” blog.

In the name of patient privacy, a security guard at a hospital in Springfield, Missouri, threatened a mother with jail for trying to take a photograph of her own son. In the name of patient privacy , a Daytona Beach, Florida, nursing home said it couldn’t cooperate with police investigating allegations of a possible rape against one of its residents.

In the name of patient privacy, the U.S. Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing.When the federal Health Insurance Portability and Accountability Act passed in 1996, its laudable provisions included preventing patients’ medical information from being shared without their consent and other important privacy assurances.But as the litany of recent examples show, HIPAA, as the law is commonly known, is open to misinterpretation – and sometimes provides cover for health institutions that are protecting their own interests, not patients’.

“Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Deven McGraw, partner in the healthcare practice of Manatt, Phelps & Phillips and former director of the Health Privacy Project at the Center for Democracy & Technology.For example, McGraw said, a frequent health privacy complaint to the U.S. Department of Health and Human Services Office of Civil Rights is that health providers have denied patients access to their medical records, citing HIPAA. In fact, this is one of the law’s signature guarantees.”Often they’re told [by hospitals that] HIPAA doesn’t allow you to have your records, when the exact opposite is true,” McGraw said.

I’ve seen firsthand how HIPAA can be incorrectly invoked.

In 2005, when I was a reporter at the Los Angeles Times, I was asked to help cover a train derailment in Glendale, California, by trying to talk to injured patients at local hospitals. Some hospitals refused to help arrange any interviews, citing federal patient privacy laws. Other hospitals were far more accommodating, offering to contact patients and ask if they were willing to talk to a reporter. Some did. It seemed to me that the hospitals that cited HIPAA simply didn’t want to ask patients for permission.

The incident at the Missouri hospital, Mercy, began after Mandi Wilson took her son to an audiologist to get his hearing tested, according to the Springfield News-Leader. The paper went on to say:

Wilson was taken to an office where she was questioned by a security guard. The video of the incident, which she later posted on YouTube,records him asking for her phone to verify that the pictures she took had been deleted. The video, which Wilson took secretly, doesn’t show faces but includes audio.

The secretly recorded video shows that when Wilson refused to hand over her phone, the officer told her she would be barred from returning to Mercy property and could be taken to the Greene County Jail if she came back.

“You’re being trespassed for violation of HIPAA,” the officer said, referring to the federal regulation governing privacy rights for patients. “…I’m informing you now that you’re being trespassed. If you come back on the property, you will be detained and taken to the Greene County Jail.”

“Because I took a picture of my son?” Wilson asked.

A Missouri mother recently posted this video on YouTube of what she claims to be an encounter with hospital security after taking a picture of her son during an audiology test.

A hospital spokesperson told the newspaper that it is reviewing how its photo and video policy is being enforced.

The Daytona Beach police chief filed a complaint to the Florida Agency of Health Care Administration saying that, based on HIPAA, “his detectives have been impeded from investigating a possible sexual battery of a 75-year-old resident at a local healthcare facility,” the Daytona Beach News-Journal wrote.

Brian Lee, a director of Tallahassee-based Families for Better Care, said he has never known medical privacy laws to inhibit a criminal investigation in Florida.

“That’s unheard of that they would bar police from the nursing home,” said Lee, who advocates for nursing home residents and their families. “They should be working to get this investigated as quickly as possible, using any agency they can to get answers to what happened.”

Lawyers for the nursing home, Daytona Beach Health and Rehabilitation Center, told the paper that privacy laws prevented them from turning over information without a subpoena. An attorney hired by the home’s parent company told the paper he found no evidence of any sexual assault.

The HIPAA issues involving the VA emerged as the department grappled with a scandal in which employees were accused of falsifying records to disguise how long veterans were waiting for appointments, drawing ire from veterans groups and lawmakers and prompting the ouster of senior leaders.

The Washington Post reported that the top lawyer for the American Federation of Government Employees cited several cases in which the VA invoked patient privacy restrictions to “stifle whistleblowers.”

“We routinely hear from our members who wish to make disclosures about problems with the patient care system and other conduct within the VA,” the union’s lawyer wrote in a June letter to the VA’s general counsel. “Most are reluctant to do so both because of a history of reprisals by VA management, and because of recent experience with laws designed to protect patients which are instead being used as a sword against employees by VA management.”

The letter cited how two employees were unable to get a written HIPAA waiver in order to report information to the Office of Inspector General.

“VA routinely uses HIPAA as an excuse to punish into submission employees who dare to speak out,” Rep. Jeff Miller (R-Fla.), chairman of the House Committee on Veterans’ Affairs, told the Post.

McGraw said that HIPAA has specific allowances for police officers investigating crimes and for whistleblowers sharing information with government authorities.

“You certainly can disclose patient information for health oversight activities, including government oversight over government benefit programs,” she said. “You certainly can disclose when a police officer comes and is investigating a crime. …There are provisions in HIPAA that allow them to make a disclosure about a victim of crime as long as the victim has agreed or they’re incapacitated.”

What’s been your experience with patient privacy? Email Charles Ornstein at charles.ornstein@propublica.org to let him know.


12 replies »

  1. Hello,
    I think they should give more attention on the security of patient data and information. Asking question from patient and having talk with patient is other issuse and don’t need to worry much about that.


  2. Neither nurses nor doctors will speak with primary family members, about the illness, except when they want to operate or go palliative. This is especially an issue for mental health units and workers.

    These same hospitals, however, are sending to me, in error, medical records of patients I do not know…by facsimile and US Mail.

    I have a huge stack of them.

  3. @Bobby: “Twice is, well…” a lot of things. Let’s see, it could still be a typo, simple error, muscle memory or even an incorrect entry into the spell checker amongst other things.

    I’ll take understanding the definition of a word over spelling it correctly if you understand my meaning. Of course it could be shorthand for hippopotamus using the female gender (spanish) which describes my feelings behind much of HIPAA.

    But thanks anyway for this major step forward in advancing healthcare understanding. I am sure this contribution will be one of the better ones we have seen over the past six years.

  4. I think Saurabh Jha says it best:

    “Regulations gut common sense”

    Government can be vindictive especially in the healthcare sector similar to what was rightfully seen in the Capone investigation where Capone was convicted for IRS regulations, not his beastly criminality. Government’s baffling regulations permits government to investigate and intimidate healthcare providers. It can be a minor unknown and unused rule that permits government to harass those law abiding citizens to make them do government’s bidding even though everything else that they were doing didn’t violate any law or other regulation. Government can create criminality where it doesn’t exist. Though the judicial system can clean up these problems the cost is too high for the individual under investigation and government has sovereign immunity.

    When government does that to law abiding citizens it makes them cringe and act in a fashion that is not helpful. Moreover, the instructions given to those who function distantly from those in charge have to be overly simplistic which leads to a lot of the problems we see.

    HIPPA laws seem to spend most of their initiative in the healthcare workplaces, but permit other places to act like sieves that permit private information to leak out everywhere. That makes HIPPA somewhat of a joke.

  5. Charles. Your assertion that a hospital did not facilitate your desire to interview patients is “bad or wrong” is beyond meritless. Be honest they didn’t do what you wanted them to and as an eager beaver reporter you were angry that they appropriately denied your access to the patients and didn’t waste their own resources to aid you in your quest for the scoop. And really what dire need for information was there? Oops. Bang. Ouch. Hurt Bad.

    What you have unwittingly done my friend is bought in to this Alinsky-esque proletariat struggle with healthcare providers /hospitals as the antagonist portraying routine business matters as some evil master plan (really you cite some security guard with a six grade intellect as a legal authority on patients privacy.) I realize your piece as op-ed. But kindly support your position with data rather than an anecdote. These techniques you employ may work better with a less sophisticated audience (ie that security guard).

  6. I worked on my HIE’s HIPAA Privacy and Security Task Force. You’ve basically got “HIPAA Lutheranism” — a “priesthood of all believers,” EACH with their own conflicting interpretations of what the laws (the 1996 original and the 2009 revision) and the ensuing regulations “mean” and require (and that’s just on the Health IT BA’s and provider sides).

    We worked for well over a year haggling over our policy regarding “opt-in” vs “opt-out” alone under Nevada law SB43 (unlike most federal laws and regs, HIPAA is subservient to “stricter” state laws and regs**), with the lawyers always demurring for “further review” (at, of course, $500 an hour).

    The meat is pretty much all in the voluminous regs — 45.CFR.164.3, .4, and .5 et seq. Only 13 of the 167 pages of the 1996 law go to ePHI privacy and security (it’s an insurance reform law with an 11th hour tossed-in privacy and security bone). Worse, in the regs, there are “standards” clauses (meaning explicit compliance — “bright line”) and “addressable” stipulations (open to interpretation regarding adequate compliance via acceptable, less onerous proxy measures, or simply “N/A”).

    “Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Deven McGraw…
    Yeah. I’ve met her. She’s right. It’s both, really, depending on the issue.

    Part of my work involved onsite Meaningful Use consulting for my REC (compliance with 45.CFR.164.308 being a “Core MU Attestation Measure”). Virtually EVERY TIME I went to a clinic I saw one or more clear HIPAA violations. More than one EHR vendor blithely assured my clients that simply by using their ONC Certified app, they were in compliance.


    ** State supremacy begs an particularly interesting question, one pertaining to patients being treated in one or more states other than that of their legal residence (or, even worse, international patients). Again, you’ll get ad hoc copinions out the wazoo on this problem, but I think it won’t really clarify until we get tort decisions and case law.

  7. I have been amazed by the number of comments I’ve seen today from patients and providers who’ve described how HIPAA has been used as a shield, a sword, a crutch and a weapon. What are your stories? Please share.

  8. Another example of good intentions gone wrong. It’s a great boon for attorneys, though.

  9. Collateral damage, I’m afraid. Regulations gut common sense and give many extreme pleasure in following the letter of the law, uncompromisingly.

    Regulations are an excuse to abandon initiative. For those with initiative regulations beat them down and render them in to helpless Pavlovian dogs.

    The proliferation of rules and regulations is the biggest cancer on society.

    It seems that some believe to solve the problem brought about by regulations is to create even more of them.

    So the problem won’t go away anytime soon.

  10. Great piece, Charles. Glad to see you tackling the subject.

    This a huge problem. And something I’ve run into routinely in my dealings with hospitals. HIPAA needs clarifying regarding our rights and our responsibilities.

    In my experience, HIPAA is often cited as a good way to avoid having to deal with a distracting patient asking too many questions when people have ten other things to do. I’m pretty sure if I were a nurse (if you can imagine Nurse Bubba), I’d resort to the same strategy.

    But there is clearly the butt covering issue as well – which is very real – and a big problem.