My wonderful Dad, a WWII and Korean War veteran, and probably the closest thing to the real Indiana Jones, died a few years ago after a series of terrible strokes. He had undergone neurosurgery in Houston at the hospital where I was on staff and when he suffered a second, massive stroke in his hometown 90 miles away, the neurologist was anxious to see his previous brain MRI. However, the hometown hospital would not allow me to use their fax machine to transmit a signed HIPAA release form to Houston because it was a long distance fax number. Keep in mind that I shouldn’t have had to fax a release in the first place. I had been required to produce a notarized copy of his medical power of attorney to prove that I was his legal representative. The hospital in Houston would not release the files because they could not figure out how to send them electronically to the hospital in a way that satisfied their security concerns. I finally threw in the towel and called the chief of radiology whom I’d known for 15 years. He personally pulled the films and emailed me what I needed.
I was able to get my Dad’s MRI because I was personal friends with the chief of the department who had access to the files. I will acknowledge that, in the case of my Dad, getting copies of his MRI probably wasn’t going to change his outcome, but that’s not the point. Even though I was occupied with a personal tragedy at the time, I put on the mental parking lot of my “Wrongs to Right some day in the future” list, “Kick some ass about this HIPAA nonsense.” I could picture my poor Mom or other frantic family members like her, struggling through this bureaucratic quagmire, hopelessly trying to obtain the medical records of a loved one in a crisis. Recently, one of my patients with limb-threatening arterial disease was simply unable to get a copy of his Angiogram for review by another vascular expert. Suffering from terrible ischemic leg pain, he had been sent on a scavenger hunt from one place to another (“we don’t have a medical records department on site anymore, you need to go to corporate for that”) until we all agreed that he was better off having his Angiogram repeated, an invasive and expensive study. It seems that many hospitals actually have no idea where patients are supposed to go to obtain images. This problem is unforgivable. It’s also unlawful.
There’s a fantastic Viewpoint by Dr. Donald Berwick in a July issue of JAMA, summarizing the frustrating state of affairs with HIPAA. As any healthcare provider knows, the penalties for wrongful disclosure of Protected Health Information (PHI) are significant. The 2013 HIPAA update to handle electronic data was nothing short of terrifying in its scope and implications. Unfortunately there are no penalties for wrongfully refusing to release information. Here’s the point that often gets missed: Patient permission is NOT EVEN REQUIRED when that information is being used for treatment, payment or health care operations. So, those forms we make patients sign that allow us to SEND records to another treating physician are not, in fact, required, nor should it be necessary for us to receive a signed release from a patient if a treating physician needs records FROM us. Nevertheless, we all do this and probably can’t “unlearn” it, among other HIPAA misconceptions.
Now think about health data and social networking sites. Facebook allowed users to share their friend’s data acquired via a harvesting app with Cambridge Analytica which identified voter’s political preferences. Facebook, Google and Twitter are not “covered entities” under HIPAA. Furthermore, HIPAA doesn’t protect de-identified data, regardless of whether the entity is considered a HIPAA-covered entity. Muddying the water further is the increasing ease with which companies are able to “deanonymize” data. It seems logical that data protection laws will eventually have to extend beyond healthcare settings. However, right now, I’d say our biggest problem is that we have a huge misunderstanding of HIPAA in the healthcare setting, and it’s creating a barrier to patient care. The fact is, Healthcare practitioners are so terrified of the current HIPAA regulations and the staggering associated monetary penalties, they are afraid to comply with the lawful release of medical records.
It does occur to me that Congressional representatives and officials at the State Department, FBI and CIA might be less inclined to release highly classified documents to the press if HIPAA laws applied to that information. We still wouldn’t be able to access to medical records when we needed to, but it might make the country more secure.

Additional Reading: