By Rob Stein,
Washington Post, August 18, 2003
HIPAA = Health Insurance Portability and Accountability Act
The transplant patient was recovering well when doctors discovered that
his new heart might have been infected with bacteria before the operation.
When the doctors sought more information so they could give the man the
right antibiotics, the hospital where the donor had died refused, citing
new federal patient privacy rules.
"It was ridiculous. The only live part of the donor was in our patient,"
said Deeb Salem, chief medical officer at the Tufts-New England Medical
Center in Boston.
As it turned out, Salem's patient was in no danger from the infection. But
because the donor's hospital refused to release any information, doctors
were forced, as a precaution, to put the man on multiple antibiotics,
potentially exposing him to dangerous side effects.
"It cost our patient the risk of being on multiple antibiotics for 12 to
15 hours, not to mention a lot of money," Salem said.
The case is an example of widespread confusion about the privacy rules,
which went into effect this spring and provide the first federal
protection of medical records. The rules, in fact, explicitly permit
doctors and hospitals to release information without a patient's
authorization for treatment reasons -- which would have covered the Boston
But frequent misunderstandings about what the rules allow have been
causing frustration, uncertainty and anxiety in doctors' offices, clinics,
hospitals and even pharmacies across the country.
Patients are complaining about suddenly having to fill out long,
complicated forms. Family members say they often can't find out how a
loved one is faring when they call the hospital. Doctors can't get test
results for patients. And, at least in some cases, these snags are
hindering doctors' ability to care for patients.
"There is not a practicing physician that I run into that doesn't say
they've had a problem that might have adversely affected a patient," said
Salem, also a professor of medicine at Tufts University School of
Confusion over the rules has triggered a fresh round of acrimony over the
issue of medical privacy, long a focus of controversy. Supporters argue
that doctors are exaggerating the problems, and that some hospitals are
intentionally overreacting. Critics contend the regulations are vague,
open to various interpretations and overly restrictive.
"It's more than just health care providers being unable to get the
information they need to care for patients -- it's patients not being able
to get information, family members not being able to get information. It's
across the board," said Todd Taylor, an emergency room physician in
Proponents of the rules acknowledge that misinterpretations are rampant.
But they say problems are diminishing steadily as hospitals and health
care professionals become familiar with the new requirements.
"We saw quite a few reports right after the rule went into effect, but the
number of reports and the number of calls we're getting have really
decreased," said Richard M. Campanelli, who heads the Office of Civil
Rights at the Department of Health and Human Services, which is in charge
of implementing the new rules.
The regulations are the result of the 1996 federal Health Insurance
Portability and Accountability Act (HIPAA). They are designed to give
patients more power to limit access to confidential information, including
keeping personal health data out of the hands of marketers.
The overwhelming majority of problems appear to be the result of
misunderstanding the law's requirements or erring on the side of
withholding information to avoid inadvertently violating the new
The rules, for example, unequivocally allow doctors, hospitals and other
health care entities to provide information about patients to other
treating physicians without authorization from the patient, precisely to
avoid endangering care.
"It's one of the big misunderstandings," said Janlori Goldman of the
Health Privacy Project at Georgetown University, which has been monitoring
HIPAA's implementation. "Many doctors and hospitals either misunderstand
the rule or take an extreme reading of it. The privacy law requires no
In some cases, Goldman suspects that hospitals are using the new law as an
excuse for their own, more restrictive policies.
"We are aware of circumstances where hospitals have more restrictive
policies than the rule, and they're saying the new law requires this,"
Before the rules went into effect, the Bush administration made changes
aimed at avoiding interfering with care.
"We wanted to make sure that the correct balance was hit -- that the rule
would protect privacy of information but not interfere with access to
health care," Campanelli said. "We wanted to make sure that privacy was
protected, but when you're talking about treatment, we certainly wanted to
make sure the information flowed from doctor to doctor."
But critics such as Taylor say fears about how the rules might be
interpreted by courts lead many health care workers to err on the side of
"With any new regulation, you don't know what's going to happen with it
until it goes through the courts. The government says one thing but then
it gets interpreted differently by the courts," said Taylor, an emergency
room physician at Banner Good Samaritan Medical Center in Phoenix.
Taylor said he has encountered several instances in which a patient died
and relatives called from out of state to find out what happened, and
staff members were uncertain whether they could tell them.
"Here I am, an emergency room physician, and I can't answer that question.
I don't know if the question has been addressed, or if it has been
addressed, whether it's been litigated yet," Taylor said.
Another problem occurs when doctors are trying to get information about
uncooperative patients, Taylor said.
"Prior to HIPAA, we used to be able to call up a national drugstore chain
and ask what a patient's medications have been. We can't do that now
because of HIPAA. It may be a patient trying to obtain narcotics. You want
to verify whether they're telling the truth," he said.
Hospitals in Arizona were creating a statewide computerized system for
exchanging patient information, as part of an effort to reduce medical
mistakes. That has been put on hold, he said. "Now we have to make sure
its HIPAA-compliant," he said.
Campanelli said one of the most common misconceptions is that doctors
can't talk about patients to family members or close friends.
"We're seeing a lot of patients who are saying their doctors say they
can't talk to anyone but the patient -- not to friends or family members.
That's a misconception. The privacy rules let the doctor talk to friends
and family members," Campanelli said.
But Judith E. Tintinalli, chairwoman of emergency medicine at the
University of North Carolina at Chapel Hill, said it remains far from
clear where to draw the line.
"What people are getting skittish about is, 'What are the limits? What are
the boundaries of information exchange?' " she said. "Everybody is very
skittish about exchanging patient information. There used to be a lot of
off-the-cuff exchanging of information. All that has come to a screeching
Trepidation about releasing information is causing problems in many areas
of medicine. At the Greater Baltimore Medical Center, cancer chemotherapy
patients have had trouble getting treatments because laboratories refused
to release their test results to the cancer center.
"We've had a lot of treatment delays because of it," said Dawn Stefanik,
clinical manager of the infusion therapy department. "For the patients,
it's very frustrating."
But many medical workers and officials say the problems appear to be
"Initially, the staff people were probably scared to death about screwing
up and getting in trouble, and so were being overcautious. People are
getting the hang of it," said Margo Williams of the American College of
Charles B. Inlander, president of the People's Medical Society, a consumer
group, said the problems have been exaggerated by doctors, who don't like
the extra work the new law has created. "It's a good law," Inlander said.
"I suspect what you're hearing is very isolated and very rare. It's often
the case with these things that doctors have to do more work and try to
blow problems into much more than they are."
But Salem and other critics say the rules often do more harm than good.
"One of the most common causes of medical errors is poor communication,"
Salem said. "HIPAA by nature adds one more barrier to communication. There
is a benefit. But there's also a cost."
Salem had another case involving a man who suffered chest pain after an
exercise stress test. When the cardiologist asked for a fax of the test
results, the request was refused, citing HIPAA. It took two hours before
the results were faxed, Salem said, adding to the patient's stress at a
"His face got very red. I think it did contribute to him getting into a
mild degree of trouble. He couldn't believe it," Salem said. "That
scenario is being repeated many times."