Despite good intentions, the Health Insurance Portability and Accountability Act (HIPAA) is shrouded in myth and misapplication that does more harm than good for both patients and physicians, according to a viewpoint published in JAMA.

HIPAA is a complex piece of legislation, but according to the authors, it can be boiled down to one simple rule: Physicians and healthcare organizations cannot disclose personal health information without patient permission, unless that information is being used for treatment, payment, or healthcare operations.

Although HIPAA imposes penalties for physicians and organizations who wrongfully release personal health information, it lacks a counterbalance: There are no penalties for unreasonably delayed or wrongful refusal to release information to treating physicians for treatment reasons. Without this counterbalance, the instinct becomes to withhold information in order to avoid accidental HIPAA violations.

Continue Reading

So many instances of excess paperwork and information withholding actually stem from “HIPAA myths,” defined as misapplications of the law based on misunderstandings of what it actually requires. The application of these myths leads to confusion in frustration with every step of health care.

In order to return to the root of what HIPAA should do, the authors propose 4 potential solutions:

  1. The Department of Health and Human Services (HHS) should commission and support studies to determine the magnitude, frequency, pattern, and consequences for patients of restrictive interpretations of the HIPAA privacy rule.
  2. The Office for Civil Rights at HHS should create policies and procedures to promote consistency with the “letter and spirit” of HIPAA.
  3. HHS should consider instituting penalties for failure to release all relevant clinical information to treating physicians in a timely fashion. HHS should also create a website to call out hospitals and other healthcare organizations that repeatedly deny information to physicians, families, or patients
  4. Professional societies and patients’ rights organizations should create campaigns to correct false interpretations of HIPAA and to inform both patients and physicians about common barriers to information.

Related Articles

Although HIPAA’s goal to protect patient privacy is a noble one, current guidelines have veered away from the true intentions of the law. New implementations of HIPAA must focus on protecting patient’s right to care as well as their right to privacy.


Berwick DM, Gaines ME. How HIPAA harms care, and how to stop it. [published online June 20, 2018]. JAMA. doi:10.1001/jama.2018.8829.