Sunday, December 29, 2013

Should HIPAA Compliance Guard All Protected Medical Information?

Everyone is familiar with the acronym HIPAA, which is the 1996 edict called the Health Insurance Portability and Accountability Act.  Isn’t that a smooth and melodious name?

These are rules & regs that are designed to protect your confidential protected medical information.  I support the mission.  I don’t think that your medical records should be deliberately or inadvertently shared with those who are not lawfully permitted to view them.
  •  Medical charts (remember when there were medical charts?) should not be left open on the counter.
  • A physician should not yell to front desk personnel within earshot of others to give the patient a psychiatric referral.
  • Elevators are not proper venues to have medical discussions about specific patients.
  • Medical information should not be disclosed to inquiring friends and family without permission.
I maintain that HIPAA has been OperationOVERKILL for many physicians and staff.  Keep in mind that doctors, at least in my generation, have been imbued with a culture of confidentiality.  For me, HIPAA has not changed my personal practices as I’ve always kept protected information private.  There are entire industries now whose function is to assure that billing software, electronic medical records (EMR) and various medical vendors are ‘HIPAA compliant’.  Of course, I recognize that the EMR era has unique privacy concerns that must be addressed.  Yes, privacy and protection are necessary, but HIPAA often extends further than it should and is often the grist for office eye-rolling banter.

HIPAA Enforcment Training Mission

But, as is often the case with bureaucratic mandates, common sense is left at the curb.  Clearly, there are circumstances where absolute compliance should be relaxed even if this is a technical violation.  Do we really want 100% HIPAA compliance?  Do we ever want 100% compliance in any sphere?  If we insist on a policy of zero tolerance of weapons in our schools, for example, do we support suspending a second grader who fashioned a gun out of a Pop-Tart?   Zero tolerance invariably leads to absurd situations.

A woman fell and was sent by her doctor to the emergency room so that ankle x-rays could be done.  Fortunately, there was no fracture.   Afterwards, the doctor’s staff called the hospital to have the relevant records faxed, but the request was denied.  The heavy hand of HIPAA was firmly raised.  They would need a signed release by the patient to authorize transfer of records to the very doctor who sent the patient to the emergency room in the first place.  The reason given was to be faithful to HIPAA.   The woman does not have a fax machine and had to hobble from her condo to the front desk for the signing and faxing ceremony.  Luckily, this forced ambulation did not further damage her ailing ankle.

Readers might be wondering how I am knowledgeable about an individual’s private medical information.  The patient is my mother.   I share the vignette even though I did not obtain her signed release authorizing me to disclose her protected medical information to my millions of readers.  I now live in fear that a middle-of-the-night knock on the door will be the HIPAA police.  If this blog and its author disappear, then you will know what happened. 


  1. I was tasked with teaching HIPAA compliance to hospital staff during the initial years of its implementation. Your photo of the HIPAA Compliance Enforcement Team is spot-on!

  2. Great comments on HIPAA. You could go on to mention how debilitating HIPAA is, when you're with you 17 year old son after a C5 fracture looking to the PTs MDs and Techs at a spine center to just give you one iota of positivity or hope: "Andrew, I think you're going to walk again and maybe even void on your own, because there was a young man here a few years ago who had similar return and tenacity as you do and he walked again. Largely due to HIPAA or an incredibly phlegmatic medical staff, the hope Andrew received and ultimately actied on was our ever-growing network of other SCI survivors.

    Sadly, patients aren't able to (easily) reach out to other people who have suffered similar injuries/illnesses. Does anyone talk about this?