This story was co-published with NPR's "Shots" blog.
In the name of patient privacy, a security guard at a hospital in Springfield, Missouri, threatened a mother with jail for trying to take a photograph of her own son.
In the name of patient privacy , a Daytona Beach, Florida, nursing home said it couldn't cooperate with police investigating allegations of a possible rape against one of its residents.
In the name of patient privacy, the U.S. Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing.
When the federal Health Insurance Portability and Accountability Act passed in 1996, its laudable provisions included preventing patients' medical information from being shared without their consent and other important privacy assurances.
But as the litany of recent examples show, HIPAA, as the law is commonly known, is open to misinterpretation – and sometimes provides cover for health institutions that are protecting their own interests, not patients'.
"Sometimes it's really hard to tell whether people are just genuinely confused or misinformed, or whether they're intentionally obfuscating," said Deven McGraw, partner in the healthcare practice of Manatt, Phelps & Phillips and former director of the Health Privacy Project at the Center for Democracy & Technology.
For example, McGraw said, a frequent health privacy complaint to the U.S. Department of Health and Human Services Office of Civil Rights is that health providers have denied patients access to their medical records, citing HIPAA. In fact, this is one of the law's signature guarantees.
"Often they're told [by hospitals that] HIPAA doesn't allow you to have your records, when the exact opposite is true," McGraw said.
I've seen firsthand how HIPAA can be incorrectly invoked. In 2005, when I was a reporter at the Los Angeles Times, I was asked to help cover a train derailment in Glendale, California, by trying to talk to injured patients at local hospitals. Some hospitals refused to help arrange any interviews, citing federal patient privacy laws. Other hospitals were far more accommodating, offering to contact patients and ask if they were willing to talk to a reporter. Some did. It seemed to me that the hospitals that cited HIPAA simply didn't want to ask patients for permission.
The incident at the Missouri hospital, Mercy, began after Mandi Wilson took her son to an audiologist to get his hearing tested, according to the Springfield News-Leader. The paper went on to say:
Wilson was taken to an office where she was questioned by a security guard. The video of the incident, which she later posted on YouTube,records him asking for her phone to verify that the pictures she took had been deleted. The video, which Wilson took secretly, doesn't show faces but includes audio.
The secretly recorded video shows that when Wilson refused to hand over her phone, the officer told her she would be barred from returning to Mercy property and could be taken to the Greene County Jail if she came back.
"You're being trespassed for violation of HIPAA," the officer said, referring to the federal regulation governing privacy rights for patients. "...I'm informing you now that you're being trespassed. If you come back on the property, you will be detained and taken to the Greene County Jail."
"Because I took a picture of my son?" Wilson asked.
A hospital spokesperson told the newspaper that it is reviewing how its photo and video policy is being enforced.
The Daytona Beach police chief filed a complaint to the Florida Agency of Health Care Administration saying that, based on HIPAA, "his detectives have been impeded from investigating a possible sexual battery of a 75-year-old resident at a local healthcare facility," the Daytona Beach News-Journal wrote.
Brian Lee, a director of Tallahassee-based Families for Better Care, said he has never known medical privacy laws to inhibit a criminal investigation in Florida.
"That's unheard of that they would bar police from the nursing home," said Lee, who advocates for nursing home residents and their families. "They should be working to get this investigated as quickly as possible, using any agency they can to get answers to what happened."
Lawyers for the nursing home, Daytona Beach Health and Rehabilitation Center, told the paper that privacy laws prevented them from turning over information without a subpoena. An attorney hired by the home's parent company told the paper he found no evidence of any sexual assault.
The HIPAA issues involving the VA emerged as the department grappled with a scandal in which employees were accused of falsifying records to disguise how long veterans were waiting for appointments, drawing ire from veterans groups and lawmakers and prompting the ouster of senior leaders.
The Washington Post reported that the top lawyer for the American Federation of Government Employees cited several cases in which the VA invoked patient privacy restrictions to "stifle whistleblowers."
"We routinely hear from our members who wish to make disclosures about problems with the patient care system and other conduct within the VA," the union's lawyer wrote in a June letter to the VA's general counsel. "Most are reluctant to do so both because of a history of reprisals by VA management, and because of recent experience with laws designed to protect patients which are instead being used as a sword against employees by VA management."
The letter cited how two employees were unable to get a written HIPAA waiver in order to report information to the Office of Inspector General.
"VA routinely uses HIPAA as an excuse to punish into submission employees who dare to speak out," Rep. Jeff Miller (R-Fla.), chairman of the House Committee on Veterans' Affairs, told the Post.
McGraw said that HIPAA has specific allowances for police officers investigating crimes and for whistleblowers sharing information with government authorities.
"You certainly can disclose patient information for health oversight activities, including government oversight over government benefit programs," she said. "You certainly can disclose when a police officer comes and is investigating a crime. …There are provisions in HIPAA that allow them to make a disclosure about a victim of crime as long as the victim has agreed or they're incapacitated."
What's been your experience with patient privacy? Email Charles Ornstein at [email protected] to let him know.