The consequences of zero tolerance: Why HIPAA is overkill

Everyone is familiar with the acronym HIPAA, which is the 1996 edict called the Health Insurance Portability and Accountability Act.  Isn’t that a smooth and melodious name?

These are and regulations that are designed to protect your confidential protected medical information.  I support the mission.  I don’t think that your medical records should be deliberately or inadvertently shared with those who are not lawfully permitted to view them.

  • Medical charts (remember when there were medical charts?) should not be left open on the counter.
  • A physician should not yell to front desk personnel within earshot of others to give the patient a psychiatric referral.
  • Elevators are not proper venues to have medical discussions about specific patients.
  • Medical information should not be disclosed to inquiring friends and family without permission.

I maintain that HIPAA has been Operation Overkill for many physicians and staff.  Keep in mind that doctors, at least in my generation, have been imbued with a culture of confidentiality.  For me, HIPAA has not changed my personal practices as I’ve always kept protected information private.  There are entire industries now whose function is to assure that billing software, electronic medical records (EMR) and various medical vendors are HIPAA compliant.  Of course, I recognize that the EMR era has unique privacy concerns that must be addressed.  Yes, privacy and protection are necessary, but HIPAA often extends further than it should and is often the grist for office eye-rolling banter.

But, as is often the case with bureaucratic mandates, common sense is left at the curb.  Clearly, there are circumstances where absolute compliance should be relaxed even if this is a technical violation.  Do we really want 100% HIPAA compliance?  Do we ever want 100% compliance in any sphere?  If we insist on a policy of zero tolerance of weapons in our schools, for example, do we support suspending a second grader who fashioned a gun out of a Pop-Tart?   Zero tolerance invariably leads to absurd situations.

A woman fell and was sent by her doctor to the emergency room so that ankle x-rays could be done.  Fortunately, there was no fracture.   Afterwards, the doctor’s staff called the hospital to have the relevant records faxed, but the request was denied.  The heavy hand of HIPAA was firmly raised.  They would need a signed release by the patient to authorize transfer of records to the very doctor who sent the patient to the emergency room in the first place.  The reason given was to be faithful to HIPAA.   The woman does not have a fax machine and had to hobble from her condo to the front desk for the signing and faxing ceremony.  Luckily, this forced ambulation did not further damage her ailing ankle.

Readers might be wondering how I am knowledgeable about an individual’s private medical information.  The patient is my mother.   I share the vignette even though I did not obtain her signed release authorizing me to disclose her protected medical information to my millions of readers.

I now live in fear that a middle-of-the-night knock on the door will be the HIPAA police.  If this blog and its author disappear, then you will know what happened.

Michael Kirsch is a gastroenterologist who blogs at MD Whistleblower


Comments are moderated before they are published. Please read the comment policy.

  • Shane Irving

    I totally agree…. The HIPAA police are quickly sliding past common sense and reasonableness and into a world that George Orwell would be proud to call home.

    Okay, perhaps a slight exaggeration but if they continue the direction they are heading they are going to hurt and even risk patient care because the systems of control will continue to get tighter and tighter and push the CYA line higher and higher.

    Next thing you’ll be dealing with someone with multiple personalities and have to get signatures from each personality before you can talk to each one about the others. (Oh wait… there has to be some good ICD10s for that too.)

    Happy new year….

  • John C. Key MD

    The HIPAA police may be bad but in my experience the worst offenders are personnel who THINK they understand HIPAA but don’t.

    • Deceased MD

      So very true. It is clearly misused all the time.

    • kjindal

      Yes I agree 100%. I see that it’s often used by nurses & secretaries as an excuse not to do their JOB. When I call to get X-ray/ct/consult reports from another facility (even major medical centers like Columbia-Presbyterian) I would say at least 60% of the time I get an excuse relating to HIPAA. Another 30% of the time I get a “yeah I’ll send it right over” then it never arrives.

      Then, even worse, our facility’s own IT head cited HIPAA (“I don’t want to be on fox news for a HIPAA violation”), when asked to have our EMR vendor add functionality to fax prescriptions to a pharmacy upon patient discharge.

  • buzzkillerjsmith

    HIPAA is just another example of a punitive, over-lawyered and over-prosecuted country. Three strikes you’re out anyone? Even if the third strike is shoplifting.

  • Tiredoc

    The problem with most people’s understanding about HIPAA is the persistent belief that it has anything to do with normal patient privacy.

    The purpose of HIPAA is to protect plantiff’s attorney’s incomes. There are tens of thousands of people who sue multiple times yearly.

    Speaking from my own experience with this sort of “patient,” there is always real pathology present. It’s just they’ve sued three people for the same problem.

    HIPPA allows this sort of patient to see three different doctors, get the same diagnosis from these doctors, and sue three people simultaneously. HIPPA specifically prohibits these three doctors from talking to each other.

    If you proceed with thinking how to protect a fraudulent lawsuit, all of the rules are logical and make perfect sense.

    HIPPA = Health Industry Pays All Attorneys.

    • Kristy Sokoloski

      Even before HIPAA came along my team of doctors never actually “talked” to each other because they just did not have the time. My PCP that I have now wants every note from every visit to each of my other doctors. And I had to give permission for that to happen.

      • NPPCP

        You might have given permission, but you didn’t have to for each individual provider. HIPAA allows for continuity of care in this way. I do it every day as an expert PCP.

        • Kristy Sokoloski

          Yep, I would have had to give permission to each one for them to talk to each other. The last time I gave permission for one of my doctors to talk to another one of my other doctors was 2007.

          And when my doctor that I have as my PCP now wanted those notes from every one of my doctors I had to sign a release of information saying that they were to send all progress notes, labs, op reports, imaging study results.

    • SarahJ89

      I used to work in human service/rehab/education agencies. We had clients who had legitimate legal gripes. They were never the ones who sued, though. Because I had to accompany the ones who did sue us to various consults I got to spend a lot of Quality Time in waiting rooms with the clients/students and their families. What I learned from these more informal discussions were these families had law suits going with everyone–they had fights going with the state troopers, a suit against the utility company. One family actually brought action in DC against our state Legal Aid so they ended up with was essentially a free lawyer on retainer!

      It was actually kind of comforting to learn this as it meant the suit against my school/hospital/agency was literally nothing personal. In fact, they actually didn’t want to resolve the issue at all. It’s the fight that was important, for complicated inner reasons of their own.

      The real problem I have with tort reform is that these people will continue to spew their anger everywhere. That won’t stop. But the silent folks with legitimate legal cause will have no redress. I don’t know the answer to that problem.

      • Tiredoc

        If you sue more than one person for personal injury, your medical records used in prior lawsuits should be discoverable regardless of the outcome of the prior lawsuit. That’s why we have judges to rule if the information is relevant or not. Somehow we do all right on the criminal side with this issue, but when it comes to protecting attorney’s income it’s impossible.

        • SarahJ89

          The people I worked with were equal-opportunity snarks. They didn’t confine themselves to one occupation and also didn’t always sue–just threatened to do so and drag everyone through endless nasty appeals. One favourite game is to break appointments repeatedly, then make a complaint that the agency/school “hasn’t met with us.”

          The only antidote is document, document, document. A nice, cold margarita upon arrival home once in a while helps.

          And they wonder why there’s so much paperwork…

  • whoknows

    It is a fallacy that you can sue over HIPAA violations. There is no such thing as HIPAA jail.
    I have had my HIPAA rights clearly violated more than once. I had clearly stated in the chart with a signed document I created, not to share my information with any third party ( not referring to other doctors) and the institution went ahead against my wishes anyway. I spoke with endless incompetent HIPAA officers to address it.
    It is really a myth that you can sue for HIPAA violations. All you can really hope for is that they reverse the violation which is pretty hard to do if not impossible. No lawyer will take your case as there are no economic damages. The government who enforces HIPAA really has no ability to enforce it. they will send you to health and human services who are also pretty bureaucratic and extremely incompetent.

    • Tiredoc

      True. Patients have to show economic damages in order to sue. That is quite rare. The incompetent bureaucrats, however, have tremendous power should they choose to use it. The new set of fines is MUCH higher than previous, and do not require economic damages to kick in.

      • whoknows

        Thank you so much Tiredoc. Please share any details you know. I have had this happen repeatedly and expect it will happen again. My clear signature in the chart stating not to share and they do it anyway.

        First of all, whether there are fines or not, WHO is going to enforce them? I can have clear proof of the violation but what I have been told is that enforcing laws can take YEARS for the government to actually have the protocol to regulate and enforce. And HIPAA is not high on the priority list now with the ACA taking front and center stage. But what are these fines? And who gets the money for the violation? I assume it’s the government. Not the pt who has been violated.

        • Tiredoc

          The government gets the money. Presumably your best bet is through your congressional representative. You do give up a lot of your privacy when your health insurance pays the bill. They get to know everything about you. Now they send nurses to your house to see if you’re taking your medicine right.

          • whoknows

            Actually I was private pay and they violated HIPAA. And the congressional representative sends you straight to HHS. It is a very incompetent system. And as you were joking HIPAA was never really meant for patient’s privacy anyhow.
            I am having a minor procedure where they are supposed to notify you the day before not to eat or drink in the AM. They never called for that. They called to get my “data” even though I have been there before. I think it’s called data mining.

          • Tiredoc

            I can’t imagine HHS being able to do anything other than Obamacare whack-a-mole for the next year or two.

  • Tiredoc

    If the E.R. did not document the referring physician as opposed to the emergency physician as the ordering physician, and the patient failed to list the referring physician as an authorized recipient of information, the E.R.’s response was correct.

    The potential financial penalty for the hospital is quite severe, up to 1.4 million dollars. I don’t release information from my office to anyone without the written consent of the patient.

    Prior to this year’s rule change, things were different. The mask is now off.

    • David Lawrance

      Was the ED doc expecting your mother to return to see them if self-rehab wasn’t working? Is it not a Joint Commission element of performance that information is forwarded so that care continuity can happen? Someone forgot to record the referring physician. Or worse, it just isn’t that ED’s practice to ask.
      No, I don’t think that an ED should honor a request to release information from anyone who calls and claims to be a patient’s doctor. I don’t think that a call was necessary. That information should have been pushed out, not pulled out.

      • Tiredoc

        Yes, but at hospitals the information is sent out by medical records, not the intake desk. If the intake desk didn’t record the correct information, you can’t expect medical records to rely on trust. I’m actually with HIPAA on this case.

        This is stuff pretty much every bank in America would breeze through. There are companies that specialize is just this information gathering and identity verification, for cheaper than hospitals are doing it in-house, badly.

  • EmilyAnon

    In more than one of my doctor’s offices, the patients in the wating room get an earful of personal patient information coming from the other side of the reception counter, even through a closed partition window. I have heard staff phoning pharmacists ordering such and such medicine for Patient X. I have heard patients’ phone calls being put through to their doctor with “So and so is on the phone, she’s ready to set up a …….test.” In that particular case the patient was a well known local TV news reporter. All heads in the waitng room immediately popped up after hearing some very sensitive information. Even though inadvertent but still careless, how easy to breach patient privacy.

    • NPPCP

      Not a lot you can do about it. Just the way it is.

      • EmilyAnon

        It seems an easy fix to me, but if providers feel no obligation to rein in staff who show lapses in judgment, then HIPAA is nothing but a hollow show of concern for patient privacy.

  • Thomas D Guastavino

    HIPAA was another in a long series of “Lemming Laws” that physicians followed without question. As my grandfather used to say: “Once you give in to Bull****, Bull**** only gets worse.

  • Suzi Q 38

    That is ridiculous.

    • Kristy Sokoloski

      Suzi Q,
      I agree with you that this was ridiculous. This is an example of where HIPAA can be waived.

  • Shirie Leng, MD

    Good story. You didn’t mention all the trees we’ve killed mailing everybody privacy policies.

    • NPPCP

      Post them on your practice website. That’s what I do. And I refer my customers/patients to my website as their PCP. Works great – smooth operation.

  • Faxon

    Prior to HIPPA, I was in the crowded waiting room of the doctor’s office where I had been sent after my exam. (To make the exam room available for someone else, of course.) The doctor came into the waiting room and right there, told me the results of my exam and her recommendations for treatment. I was so stunned, I barely registered what she said, and of course found a new doctor. Could also share stories about thoughtless physician’s staff, but the fact that I was treated that way by a doc says it all.

    Now office staff uses HIPPA as a way to not provide service. Often staff, who I will bet have never read a word of HIPPA and have no idea what the requirements are, love to tell me they can’t help me with anything because of HIPPA requirements, or that because of HIPPA I must do this or that for them before they will help me.

    Thank goodness for my caring internist.

  • Eric Thompson

    The root cause is that no one wants to take a chance on being in violation. Therefore a blanket refusal is easier than trying to figure out if each situation is HIPPA compliant or not. Lots of information will not be shared; with anyone.

  • Tiredoc

    The hospital was incorrect. In the case of an emergency with an unconscious patient, what you did was not a HIPAA breach. Your actions are specifically protected both under prior and current HIPAA.

    • Kristy Sokoloski

      I am sorry that you had to deal with that. The scenario you gave is one of the times where HIPAA is waived. I am sorry that you can’t pursue this legally although I can understand why based on what some of the others have said.

  • Tiredoc

    It’s a lot like OSHA. I operated for years thinking all of the OSHA paranoia was silly, that no one was going to come after a private doctor’s office. I did the books, and the classes, and paid the consultant, but wasn’t sure that my administrator didn’t need a higher dose of Zoloft.

    A couple of years ago, OSHA did a sweep through my city. They cited a clinic for failure to have eye protection available for the electromyographic technician and fined the facility $5k.

    I’m still not sure the circumstance in which eye protection would be necessary to shock people with a mild electrical current, but I now have eye protection hanging on the wall for the OSHA people, and I don’t even roll my eyes when my OSHA consultant comes by to check my books.

    The HIPAA rules are silly, but the fines are atrocious. We just need to train the patients on how to fill out their paperwork.

    For those of you used to the old HIPAA, there is one major change. The PCP does NOT automatically get included in the release of information. That only applies to a PCP designated by the insurance company. If the patient pays for the treatment themselves, every single release of information MUST be cleared in writing by the patient.

    In addition, under the new rule providers are obligated to inform HHS of any HIPAA breach. The onerous fines kick in for failure to notify the HHS. Included in notifying HHS for each breach is a mandated paperwork fusillade that is as much of a threat as the fine.

    Pay the consultant. Threaten your staff. Buff up your inner OCD. Some hills just aren’t worth dying on. Besides, my staff thinks it’s kind of fun telling husbands and wives their partners forgot to include them on the HIPAA form.

    • Deceased MD

      Where did you get such cheery news from Tiredoc?
      So what do you make of all this lunacy? Well right off the bat it sounds like insurance companies once again triumph since they wrote the law no doubt when it comes to the PCP issue.
      I get the feeling that as far as the onerous fines, it is the gov’t way of taxation in a punitive bureaucratic way.
      Keep the eyewear Tiredoc. The bureaucrats can be blinding

  • Deceased MD

    Agree. It is only intimidating if you work in a hospital where there are all sorts of admins watching and overly harsh fears of violating HIPAA. Hospitals employ HIPAA compliance officers etc.
    If HIPAA is violated there really is not much that can be done about it. No lawsuits I doubt on it since lawsuits are based on economic damages.
    I roll my eyes but i am not at all surprised about your experience. Because more often than not, they force ones hand like in your case. all done”legally” of course.

    • dontdoitagain

      Hmmm. Now I wonder what happens behind the scenes when I STRIKE the clauses I disagree with. I will not sign a document which catagorically states that I have been given or offered the privacy policy. Guess how many times the privacy policy is available for me to peruse? Zero. They have to send it to me…in the snail mail. So, strike that one.

      I have actually been told by receptionists that NOBODY ever reads those documents, nor strikes anything out. Except that *I* just did so. I am somebody, whether they like it or not.

      They ask how they are going to prevent my information from being broadcast? Well, maybe they should flag my file? I don’t know how they would do that. All I know is that I assume (bad me) I have the right to decline to allow my information to be shared with all and sundry. I haven’t been turned down for medical or dental care…yet.

      Do office personnel get in trouble for people like me insisting on our rights, striking clauses, not answering absurd questions etc? Maybe they don’t say anything and hope nothing comes of it? Am I really the only person who reads the documents and insists that the law be followed?

      Maybe the hospital administrators should look at their own intake documents before harassing the docs for specious HIPAA charges. Everybody on the planet (except for me) gives anybody at all complete access to their personal medical records. It says you do in the intake paperwork.

      • Deceased MD

        I don’t think anyone gets in trouble at the front desk.-or i seriously doubt it. If you have concerns you can try teh HIPAA officer or office manager at a private office. THey are more competent in general than the front desk.
        As far as really keeping info “private” I am not sure that it is possible if your MD uses an EHR. Perhaps another doc here can comment, but my understanding is that through HIPAA, a pt’s private info minus deidentifying data can be sold or used for all kinds of medical industry purposes.

  • whoknows

    They sell it minus deidentifying you. Right? What kind of junk mail and phone calls do you get if I may ask? I am aware they sell your info but where in the fine print they write it, I am not sure? And furthermore, if you cross out that you disagree, I am not sure they even comply. I was violated when I specified in a chart to not share any info of mine with third party and then did anyway! I personally do not see there is any protection.

    • ethanspapa

      I agree Another way of Big brother keepiong an eye on you and i.

      • whoknows

        so true!

  • Robert Johannes

    I want to say hello to all of you in the medical profession and just a quick message: Welcome to my world.

    We serve the medical community and financial industry in creating secure and yes, HIPAA/HITECH compliant communication/distribution channels. It is challenging, but it can be done.

    OMNIBUS made all of our worlds much more frightening, complex and if you aren’t careful, quite expensive. With politically charged Attorney Generals now unleashed to the system, we all feel that the brunt of 100% compliance is upon us and we have to try and interpret the new law and defend ourselves.

    But until the first test case and an annual review of the new rules is done, I think we are all guilty of over reacting. This is not the first time legislation has been passed down, only to be struck down as unreasonable under judicial review. And once this occurs, the voice of reason starts to be applied.

    We are compiling a white paper for practitioners so that you can take reasonable and cost effective steps to prove good faith and avoid the larger teeth that were placed in HIPAA when HITECH was embedded, without real thought into a very fragmented industry with many times no or limited IT staff. Being a Covered Entity sounds very menacing, (and being a Business Associate isn’t a walk in the park anymore either.) but there are good practices already established in the most onerous areas to help you.

    If you would like to have this white paper free of charge when it becomes available, please feel free to contact me at We anticipate the paper being available in Mid-March. There are still some areas of the new law that to this day aren’t quite clear, and we are waiting for some interpretation before sending out a document.

    There will be some bumps in the road and some ugly case situations, but working together we can both understand what is being represented in the new law and set a realistic game plan to stay as close to total compliance as possible. And keep it affordable.

    For the record, I don’t believe in 100% compliance. Especially HIPAA in it’s old format or it’s untested current format. But I do believe you can be highly compliant and minimize the damaging effects that even a full DHHS audit would find by understanding the new law and addressing those key areas.

    There are those who have criticized the new ruling as an overstep of DHHS authority. That remains to be seen and it could be years before that is tested. My goal is to give you actionable steps to take now, either alone with help or delegating to a third party as permitted. And that those steps are not only good HiPAA compliance steps, but good business practices as a well.


    An informative article. Thanks for the information!