This morning, vindication! When a long New York Times investigative piece says exactly what you have been saying for a long time, it feels very good.

So it is with this morning’s thumbsucker [reg/$$ req’d] about the ridiculous overzealousness and misunderstanding of HIPAA by health care professionals. HIPAA is the Clinton-era law that was principally concerned with making health insurance portable, but has become better known for its privacy-protection requirements. (In fact, the statute largely delegated development of all the details of the privacy provisions to the Department of Health and Human Services, which engaged in a lengthy and torturous rulemaking process.) As recounted at length in the Times piece, many employees at hospitals, doctors’ offices, and insurance companies use the statute’s supposed requirements as a shield for bureaucratic inflexibility in releasing information, even to close family members of an incapacitated patient. I have had numerous encounters with just such ill-informed stubbornness myself, and I find it maddening. (You can only imagine some of the arguments I have had with telephone receptionists who blindly invoke HIPAA.)

In addition to the direct trouble it causes for patients and their family, I fear the continued misuse of HIPAA undermines support for all privacy regulation. This is the only direct contact many people will ever have with privacy law in action. Who could blame them if they conclude that legal privacy restrictions are for the birds? Disregard for patient privacy was widespread before HIPAA, and I have no doubt legal regulation was called for. There have been 27,778 complaints under the law. But those harms are less visible to most of us than the new harm of mindless overprotection.

What’s fascinating is that the excessive caution in response to HIPAA comes against a backdrop of extremely low risk of sanctions. Exclusive enforcement power lies with HHS — the law provides no private right of action. And HHS has never imposed any civil or criminal penalty (although there are three criminal cases ongoing at the moment, those situations are extreme outliers). What explains this risk aversion given the vanishingly small risk of any real penalty?

The article points to one cause: the regulations are long and often vague (though not as bad as some claim); it is always easier to say “no” than to figure out how to say “yes.” HHS must do a better job at presenting plain-English materials. Training of front-line staff — who often have the most public contact — also needs to improve. There are policy changes that could help with these problems, starting with greater effort at HHS.

In addition, I blame the army of consultants who descended on the health care industry after HIPAA passed and exaggerated its complexity to claim that only retention of their high-priced services could ensure compliance. Many offices are still spooked by that sales pitch. Increased clarity from HHS might help here too.

Finally, I agree completely with the HHS official who told the Times,

“Either innocently or purposefully, entities often use this as an excuse. They say ‘Hipaa made me do it’ when, in fact, they chose for other reasons not to make the permitted disclosures.”

I call this last phenomenon “HIPAA-cracy.” You often see the same mindset in dealing with, say, insurance coverage disputes. Inflexibility and unhelpfulness are all too often a part of the modern health care experience. And I’m not sure whether any amount of careful regulatory design can overcome that.

[Cross-posted at Info/Law]

You may also like...

8 Responses

  1. Frank says:

    Excellent points, all. It reminds me of a the constant evocation of “security” when anyone asks for any flexibility re established procedures.

    It’s particularly sad here because HIPAA-cracy may undermine any chance we have of a coherent, interoperable, electronic medical records system; see, e.g.,


  2. Eric Goldman says:

    You write: “I fear the continued misuse of HIPAA undermines support for all privacy regulation.” I hear what you’re saying, but I would phrase it differently. HIPAA vividly demonstrates the true costs of privacy regulation–whether the overprotection is rational or not, it was predictable and inevitable, and the resulting hidden costs should give us pause when contemplating other new privacy regulatory efforts. Eric.

  3. William McGeveran says:

    I don’t think the industry response was “inevitable,” or a “true cost.” Other industries have managed to integrate privacy requirements, here and in other countries, without so much apparent overprotection.

    But certainly you are right that, since a big part of the problem here was poor design of these particular regulations, HIPAA is a cautionary tale for lawmakers in future.

    And what I meant was, if average citizens see HIPAA as the best we can do, then public support for undertaking privacy protection measures at all will be (unreasonably) reduced.

  4. Doug Sylvester says:

    Not much to add here except to say that you are overlooking the role that privacy lawyers have played in this arena. I had the (mis)fortune of working for a firm at the moment GLB came into effect and our firm went to full court press to convince clients to take a far more “protective” (read: apparatchik enforced) view of GLB than I think was necessary or even wise.

    My guess is that most doctors use lawyers to explain what HIPAA means and, as a result, are prone to accept the view that it means “no information at any time to anyone…even the patient.” The over-reaction of people to privacy issues is only made worse by the actions of the bar in overhyping both the dangers (to my mind) of over and under compliance with these “laws” and, worse, “public expectations” of privacy.

    Ok–I think I’ve overplayed my hand here…

  5. Doug Sylvester says:

    Ok–I’m not usre you overlooked the role that lawyers play..you were just too nice in calling them “consultants.”

  6. David Harlow says:

    Well, folks, it’s not true only if and when the NYT says it is . . . Lots of ridiculous behaviors have been inappropriately blamed on HIPAA for at least as long as the regs have been in effect. But hey, it’s only one link in a chain . . . . As a practicing health care attorney, I see HIPAA as just the latest fig leaf some parties try to use in explaining behaviors or in negotiating a deal when they don’t want to do something — as in, gee, I’d really like to agree with your reasonable request but I can’t (HIPAA made me do it). Before HIPAA it was Stark, the Anti-Kickback Statute, or incomplete readings of other regulatory schemes.

    Some states (including mine, the Former People’s Republic of Massachusetts) have privacy rules stricter than HIPAA in many respects so the HIPAA-cracy is perhaps less pronounced than it is elsewhere.

    See my post on rampant HIPAA confusion at: http://healthblawg.typepad.com/healthblawg/2007/05/hipaa_confusion.html

  7. Mary H says:

    I read the NYT article with interest and curiosity. You all can scorn those of us who toe the overzealous line undertaken by our employers, but your jobs are not at stake. As a lowly psychiatric social worker I WILL be terminated immediately if I give information to family members trying to help their relatives, unless I have a current release. Yes, it’s cruel and ridiculous and interferes with care, but I won’t help my patients by getting fired because our corporate compliance officer is, um, eager. She has put a regulation in place where we cannot even use patient last names in our own internal emails to need to know staff. Indeed, under HIPAA we’re told that we can’t confirm or deny that a person receives treatment from us even if the relative or partner calling regularly attends appointments with the patient. I agree that’s it’s ridiculous and I’m furious that I’ve been lied to, but it doesn’t help my real life situation.

  8. Stella Brown says:

    I can understand telephone privacy, as well as all the digital/portable data; (which seemingly can be given to just about anyone, other than family). Digital info is NOT the reason family and friends go to the hospital, F-ing Retards!!! We go there to see our loved ones; possibly for the very last time before they die from neglect and infections the hospital staff could have prevented if they cared about human life more than money and power.

    I was refused the RIGHT to see my FATHER before he died. Why? Keep people who actually do “CARE” away from their loved one while the staff doesn’t bother to tell Charlie Brown, “Hey, your daughter loves you and wants to see you; we wouldn’t tell her any ‘personal information’; Like where you were moved to, or what kind of infection we gave you, this time…”

    No! We are scared of violating Hipaa, so we just let elderly stroke patients sit here (all slumped over and dirty, lonely, wondering why his daughter won’t come and see him?) with at least three tubes in his body which should have been out long ago!!! One of those tubes, probably the “feeding” line is where the gastro infection entered; and the other one is just standard protocall, right? The one in the throat keeps him here till the ins. runs out, or till ya’ll kill him. Yes, I said it! He died thinking I didn’t love him; because you fools don’t use common ethics which have always been standard. When friends and family show up to comfort their loved one, you do not send them away crying and intentionally never bother to let the patient know what sort of bull shit is actually happening right here in the U.S. of Asinine.

    Alma and Debbie, I will never forget you two pieces of dirt