Washington, DC, United States (ProPublica) – by Charles Ornstein
This story was co-published with NPR’s “Shots” blog.
In the name of patient privacy, a security guard at a hospital in Springfield, Missouri, threatened a mother with jail for trying to take a photograph of her own son.
In the name of patient privacy , a Daytona Beach, Florida, nursing home said it couldn’t cooperate with police investigating allegations of a possible rape against one of its residents.
In the name of patient privacy, the U.S. Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing.
When the federal Health Insurance Portability and Accountability Act passed in’96, its laudable provisions included preventing patients’ medical information from being shared without their consent and other important privacy assurances.
But as the litany of recent examples show, HIPAA, as the law is commonly known, is open to misinterpretation – and sometimes provides cover for health institutions that are protecting their own interests, not patients’.
“Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Deven McGraw, partner in the healthcare practice of Manatt, Phelps & Phillips and former director of the Health Privacy Project at the Center for Democracy & Technology.
For example, McGraw said, a frequent health privacy complaint to the U.S. Department of Health and Human Services Office of Civil Rights is that health providers have denied patients access to their medical records, citing HIPAA. In fact, this is one of the law’s signature guarantees.
“Often they’re told HIPAA doesn’t allow you to have your records, when the exact opposite is true,” McGraw said.
I’ve seen firsthand how HIPAA can be incorrectly invoked. In 2005, when I was a reporter at the Los Angeles Times, I was asked to help cover a train derailment in Glendale, California, by trying to talk to injured patients at local hospitals. Some hospitals refused to help arrange any interviews, citing federal patient privacy laws. Other hospitals were far more accommodating, offering to contact patients and ask if they were willing to talk to a reporter. Some did. It seemed to me that the hospitals that cited HIPAA simply didn’t want to ask patients for permission.
The incident at the Missouri hospital, Mercy, began after Mandi Wilson took her son to an audiologist to get his hearing tested, according to the Springfield News-Leader. The paper went on to say:
Wilson was taken to an office where she was questioned by a security guard. The video of the incident, which she later posted on YouTube,records him asking for her phone to verify that the pictures she took had been deleted. The video, which Wilson took secretly, doesn’t show faces but includes audio.
The secretly recorded video shows that when Wilson refused to hand over her phone, the officer told her she would be barred from returning to Mercy property and could be taken to the Greene County Jail if she came back.
“You’re being trespassed for violation of HIPAA,” the officer said, referring to the federal regulation governing privacy rights for patients. “…I’m informing you now that you’re being trespassed. If you come back on the property, you will be detained and taken to the Greene County Jail.”
“Because I took a picture of my son?” Wilson asked.
– Provided by ProPublica.org