HIPAA Is Overrated

Clinicians do not understand HIPAA. We all know that it exists, and we have typically undergone a fair amount of training about it because employment orientation and inservices include it. Nursing schools typically have students sign a document indicating that they’ve received HIPAA training before they are allowed to attend clinicals. The general public even extrapolate their own tangential knowledge of HIPAA to something akin to “no one can ever discuss anyone’s health care anywhere.” I argue that HIPAA, misused, is missing its mark. Conversely, when HIPAA truly is violated, I have found it extremely challenging to cause facilities or even the OCR (the US Department of Health & Human Services Office for Civil Rights—the HIPAA people) to do anything about it.

We, collectively (clinicians and the public), are missing the mark.

HIPAA protects patient privacy by limiting the identifying information that “covered entities” may divulge. “Covered entities” does not mean “everyone.” As in this New York Time piece, I have repeatedly seen non–health care professionals remonstrate with other non–health care professions when they are talking about patients (who happen to be family members or friends). The patient in question may not appreciate being discussed in the hospital cafeteria, but it’s not illegal.

A scarier and more common misunderstanding occurs online, in social media, and this is tantamount to tragedy. With social media, practitioners have an unprecedented bank of knowledge and means of communication, yet many are afraid to use the means at their disposal because they fear retribution from their employers. The fear is real and legitimate. Nurse bloggers in particular tend to drop off the blogging radar because they underwent censure by their employers. Some have even been fired or expelled from nursing school.

HIPAA does not purport to prevent all discussion about healthcare consumers, yet somehow this is the understanding that has been distilled from the law. This is to our detriment as professionals. Professional development and growth stall when we are stifled in our attempts to learn from one another, and we are stifled indeed when we believe that we cannot share stories and information about the people and situations we encounter.

An even bleaker and dangerous misinterpretation of this law results in blocked communication from friends and family to medical professionals about patients. The NYT piece references this, and I have seen it repeatedly in my practice. Providers do extrapolate HIPAA into something like “I cannot discuss patients at all with anyone” and twist it into refusing to get information from anyone else. As the referenced article points out, this takes the point of HIPAA and twists it into a ridiculous end. If someone calls an ER to provide relevant information about a patient, nothing in the law prevents the provider from listening to it.

Regarding friends and family, HIPAA fails to address fictive kin (people who are for all intents and purposes family, but are not biologically or legally officially connected). Providers are wildly inconsistent about how they approach this. Some readily accept that a domestic partner of 50 years counts as family, but others are strict and block such people from information about and participation in their loved one’s care. Either way, though, again, HIPAA should never be summoned to justify not getting information from others.

Finally, HIPAA limits the information we can share, but it does not block it completely. It does not say that we as healthcare professionals cannot discuss patients or patient information. Yes, I said that. It does not even say that we cannot say or write things that allow the patient to identify him- or herself. It says that we cannot provide information that would allow others to identify the patient—this type of information would be a combination of age, sex, physical characteristics, and most of all numbers. Things such as hospital room numbers combined with dates of care, birth dates, and ages are verboten.

This is where the unwarranted fear comes from. We can, and I think we should, blog and tweet about our experiences. That is how we learn, and it helps us develop professionally and psychologically. Identification with others is powerful. Nurses who get into trouble about “HIPAA” typically do so because their managers or coworkers happen to know the patient prompting a blog or other post, but that shouldn’t count.

In summary, HIPAA is not what it is made out to be. Nurses must use caution and professional judgement, but we need not gag ourselves into complete silence. If we discuss a patient or situation in such a way that no one without their own inside knowledge could know with certainty who it is, it is not a HIPAA violation!


About Megen Duffy

view all posts

Megen Duffy, RN, BA, BSN, CEN, is a practicing nurse, blogger, and contributing editor for the American Journal of Nursing. Megen has practiced in a variety of settings from emergency rooms to prisons.