Wills, Trusts & Estates Prof Blog

Editor: Gerry W. Beyer
Texas Tech Univ. School of Law

Thursday, December 31, 2015

HIPAA Does Not Offer The Privacy Protection Many Assume

MedicalAnyone that has been to the doctor knows about the ubiquitous HIPAA form that must be filled out and which is supposed to protect privacy. But it turns out that the protections that are offered by HIPAA are rather minimal due to the fact that a patient has no individual right to sue for a violation. The Department of Health and Human Services, the agency with the authority to conduct an enforcement action, formally acted on only 6 of 18,000 complaints in 2014 despite the fact that many of the violations were repeatedly by the same entity. Celebrities have long been the target of HIPAA violations when hospital employees sell the information to tabloids but ordinary people are also coming into the cross-hairs. For example, there have been many instances of sexually transmitted disease history being vindictively released on social media to shame and humiliate an individual. Critics of the current implementation of HIPAA are calling the HHS to amp up its enforcement since it can impose fines which are cycled directly back to agency which can then be used for additional patient protective measures. In addition, there are calls to allow patients to keep a portion of any fine levied for a violation against them which will encourage greater oversight by those at risk since they will be able to be reimbursed for the harm of a records violation. In any event, this is a problem that will only grow as digital technology makes it easier to access records by a wide variety of people. Let us hope Congress and the HHS will soon take notice and begin to take the privacy of patients seriously.

See Charles Ornstein, Your health records are supposed to be private. They aren’t, The Washington Post, December 30 2015.

Special thanks to Lewis Saret for bringing this article to my attention.


Current Affairs, Science | Permalink


It is worth noting that the standard HIPAA releases which now must be signed prior to service in a doctor's office aren't "privacy forms" either. They're to release the office from the very minimal protections HIPAA requires. We would all be better off refusing to sign them and demanding real privacy for our records.

Posted by: April King | Jan 1, 2016 11:25:53 AM

Post a comment