The Real Reason Behind HIPAA Privacy

When it comes to understanding why we need HIPAA compliance, government regulators are camped on one side of a very wide river, and physicians are on the opposite shore.


Doctors and providers don't like HIPAA and don't understand why we need a giant federal bureaucracy dishing out fines and punishment over a simple thing like patient privacy. 


In my opinion, that's the government's fault.  The government's main website on the subject is titled, "Health Information Privacy," and addresses safety and privacy. Reading this, the government seems to be solely concerned with physician-patient confidentiality obligations, the kind expressed in AMA Ethics Opinion 5.05.


Patient confidentiality is not why HIPAA exists. Confidentiality is common sense.  It is a duty owed by the physician to the patient. It is particularly insulting for doctors to find themselves saddled with a federal bureaucracy just to enforce common sense.  Lack of confidentiality owed to the patient, however, isn't the problem... and never was.


The real issue, and the reason HIPAA exists is simply this: criminals may take advantage of healthcare providers' failure to protect financial data, and the consequences of that kind of carelessness normally falls on someone other than the patient.  Absent HIPAA, there really isn't any national law creating a duty to act prudently for the protection of the financial system as a whole.


The government is trying to prevent criminals from perpetrating massive, highly-organized, financial thievery. Although the government really needs help, it doesn't explain this to providers, nor does it ask politely.


Protected health information (PHI) is valued by criminals. PHI theft is harder to detect.  It takes longer to cancel stolen health identity than it does stolen credit cards.  


The patient doesn't think twice about trusting doctors with insurance information, personal identification, social security number, address, and credit card information. The patient trusts that the doctor knows how to protect their data.


And, many don't.  That's why HIPAA exists.  The physician's office combines financial information with patient health information and diagnosis codes, and many of you store this data, unprotected, in computers, laptops, smartphones and iPads.  You send it over the Internet, unencrypted.  That is the problem HIPAA is trying to correct.   


Consider the following example: three months after a patient visits his doctor, he applies for a job, and is turned down.  He has $250,000.00 in debt, and has no idea why.  He can only recall giving personal information to one person: his doctor.  His doctor, when questioned, explains that the office building experienced a break in, and some computers were stolen.


The doctor's office did not protect the computers, laptops, iPads, and portable devices, and that is how the information was obtained.  The practice could cost the financial system hundreds of thousands of dollars in unrecoverable losses. This is an interest worth protecting.


AMA Ethics Opinion 5.07 Confidentiality: Computers, addresses this concern in a very detailed manner.  But again, ethics violations are enforced by a patchwork of state licensing boards.


That's why the federal government is so serious about HIPAA compliance.  I can't explain why the government is so reluctant to explain this in its website.  Perhaps talking about the real problem would actually attract more criminals.  


Understand, providers can be investigated by the federal government for disclosing simple patient confidences.  When that happens, providers will be asked by the Office for Civil Rights (OCR) to produce all documents showing full HIPAA compliance.  HIPAA and HITECH were implemented in stages, and the OCR will ask for proof each deadline has been met along the way.


The Texas version of HIPAA is even more stringent.  It deems anyone coming into possession of PHI to be a covered entity, not just healthcare professionals. This includes accountants, lawyers and computer IT companies.


The takeaway is this: the government isn't trying to insult providers, doctors and other professionals over patient safety or individual privacy, or simply make work for them. The government needs help in preventing theft.  If you are a provider, the way to protect yourself is to get HIPAA compliant.


The health lawyers at Friedman & Feiger can help.  We understand what you must do to show compliance under HIPAA, HITECH and the Texas Patient Privacy laws.  If you need a checkup, give us a call at (972) 788-1400 or email me at 


5301 Spring Valley Rd.

Suite 200

Dallas, Texas 75254





Martin R. Merritt practices in the area of Health Law and Healthcare Litigation. He represents clients in "Stark Law,"  The False Claims Act, The Anti-Kickback statute, recoupment audits, actions before the  medical board and other state and federal health law matters. He received a B.B.A. from Delta State University in 1984, and his J.D. from Ole Miss in 1986. He has been licensed to practice in the State of Texas since 1989, first having been licensed in Mississippi in 1987.


He is admitted to practice before the United States District Courts for the Northern and Eastern Districts of Texas and all Texas State Courts. He is a member of the Health Law Section of the Dallas Bar Association, the Health Law Section of the State Bar of Texas, the American Health Lawyers Association, and the North Texas Healthcare Compliance Professionals Association.



Health Law, Healthcare Litigation