When Federal Privacy Laws Protect Hospitals Instead Of Patients
In the name of patient privacy, a security guard at a hospital in Springfield, Mo., threatened a mother with jail for trying to take a photograph of her own son.
In the name of patient privacy, a Daytona Beach, Fla., nursing home said it couldn't cooperate with police investigating allegations of a possible rape against one of its residents.
In the name of patient privacy, the U.S. Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing.
When the federal Health Insurance Portability and Accountability Act passed in 1996, its laudable provisions included preventing patients' medical information from being shared without their consent and other important privacy assurances.
But as a litany of recent examples show, HIPAA, as the law is commonly known, is open to misinterpretation — and sometimes provides cover for health institutions that are protecting their own interests, not patients'.
"Sometimes it's really hard to tell whether people are just genuinely confused or misinformed, or whether they're intentionally obfuscating," said Deven McGraw, partner in the healthcare practice of Manatt, Phelps & Phillips and former director of the Health Privacy Project at the Center for Democracy & Technology.
For example, McGraw said, a frequent health privacy complaint to the U.S. Department of Health and Human Services Office of Civil Rights is that health providers have denied patients access to their medical records, citing HIPAA. In fact, this is one of the law's signature guarantees.
"Often they're told [by hospitals that] HIPAA doesn't allow you to have your records, when the exact opposite is true," McGraw said.
I've seen firsthand how HIPAA can be incorrectly invoked. In 2005, when I was a reporter at the Los Angeles Times, I was asked to help cover a train derailment in Glendale, Calif., by trying to talk to injured patients at local hospitals. Some hospitals refused to help arrange any interviews, citing federal patient privacy laws. Other hospitals were far more accommodating, offering to contact patients and ask if they were willing to talk to a reporter. Some did. It seemed to me that the hospitals that cited HIPAA simply didn't want to ask patients for permission.
The incident at the Missouri hospital, Mercy, began after Mandi Wilson took her son to an audiologist to get his hearing tested, according to the Springfield News-Leader. A security guard questioned her and asked to see her phone to confirm that she had deleted any photos. When she refused, the officer told her that she was "being trespassed for violation of HIPAA" and threatened to send her to jail if she came back, the paper reported.
A hospital spokesperson told the newspaper that it is reviewing how its photo and video policy is being enforced.
The Daytona Beach police chief filed a complaint to the Florida Agency of Health Care Administration saying that, based on HIPAA, "his detectives have been impeded from investigating a possible sexual battery of a 75-year-old resident at a local healthcare facility," the Daytona Beach News-Journal wrote.
Lawyers for the nursing home, Daytona Beach Health and Rehabilitation Center, told the paper that privacy laws prevented them from turning over information without a subpoena. An attorney hired by the home's parent company told the paper he found no evidence of any sexual assault.
The HIPAA issues involving the VA emerged as the department grappled with a scandal in which employees were accused of falsifying records to disguise how long veterans were waiting for appointments, drawing ire from veterans groups and lawmakers and prompting the ouster of senior leaders.
The Washington Post reported that the top lawyer for the American Federation of Government Employees cited several cases in which the VA invoked patient privacy restrictions to "stifle whistleblowers."
"We routinely hear from our members who wish to make disclosures about problems with the patient care system and other conduct within the VA," the union's lawyer wrote in a June letter to the VA's general counsel. "Most are reluctant to do so both because of a history of reprisals by VA management, and because of recent experience with laws designed to protect patients which are instead being used as a sword against employees by VA management."
The letter cited how two employees were unable to get a written HIPAA waiver in order to report information to the Office of Inspector General.
"VA routinely uses HIPAA as an excuse to punish into submission employees who dare to speak out," Rep. Jeff Miller, R-Fla., chairman of the House Committee on Veterans' Affairs, told the Post.
McGraw said that HIPAA has specific allowances for police officers investigating crimes and for whistleblowers sharing information with government authorities.
"You certainly can disclose patient information for health oversight activities, including government oversight over government benefit programs," she said. "You certainly can disclose when a police officer comes and is investigating a crime. ... There are provisions in HIPAA that allow them to make a disclosure about a victim of crime as long as the victim has agreed or they're incapacitated."
What has been your experience with patient privacy? Email ProPublica Charles Ornstein at firstname.lastname@example.org to let him know.
Copyright 2021 ProPublica. To see more, visit .