Update: On Tuesday, the Department of Health and Human Services said it had not waived HIPAA in Orlando after all because it was not necessary—the mayor’s original remarks were the result of some miscommunication. WIRED’s original story, about why a HIPAA waiver would not have been necessary, is below.
In the early hours of Sunday morning, dozens of people shot at Orlando’s Pulse nightclub---wounded, dying, dead---began streaming into Orlando Regional Medical Center. The situation was chaotic and confusing enough that the federal government took an unusual step: waiving a number of provisions of HIPAA, a law intended to protect patient privacy.
“The CEO of the hospital came to me and said they had an issue related to the families who came to the emergency room,” Orlando mayor Buddy Dyer said in an interview. “Because of HIPAA regulations, they could not give them any information.” The mayor then asked the White House to waive HIPAA, which it agreed to do.
HIPAA, which stands for Health Insurance Portability and Accountability Act, is a complicated law and, frankly, confusion abounds. “Even hospitals are not completely aware of what HIPAA says or doesn’t say,” says Carl Schultz, an ER doctor and professor of emergency medicine at UC Irvine. In fact, HIPAA does allow doctors to inform family members of patients who are incapacitated. Waiving the law should not have been necessary for that alone.
So why waive parts of HIPAA---a move that several healthcare law experts told WIRED they think is unprecedented? Because HIPAA is vague and confusing and debating the intricacies of a law is not what you need in the middle of an emergency.
Consider what HIPAA says about allowing doctors to disclose information about a patient who is in a coma or surgery or for other some reason cannot immediately consent. Doctors can do so if it is in the best interest of the patient “in the exercise of professional judgment.” What does that mean? Can doctors tell a mother calling the ER about her son without verifying her identity? Can they post a list of names for waiting families to check? “Professional judgment” is not a very clear standard.
Hospitals have reason to act cautiously. HIPAA violations carry civil fines from $100 to $50,000 plus criminal penalties in certain cases. “My guess is that there was tremendous confusion and chaos at the hospital given the circumstances, and the finer points of HIPAA disclosures might not be met in every case,” Michael Bossenbroek, a lawyer who specializes in HIPAA, wrote in an email. Rather than choke the system with decision points about the law, waiving HIPAA let doctors do their jobs without having to worry each and every time they talked to someone about a patient.
On the other hand, Schultz says he has never heard of anyone being fined for HIPAA violations after a mass shooting or terrorist attack. The federal government has discretion over who to go after for HIPAA violations, and accidental violations during chaotic times are not the highest priority. “The intent of HIPAA was not to cause more suffering for families,” says Schultz.
It’s not just the vague parts of HIPAA that cause confusion. Even in cases where HIPAA rules are clear---like allowing doctors to share medical information about a patient with each other---hospitals err on the side of extreme caution. Schultz says that he often gets patients in the ER whose doctors won’t send over medical records without a signed consent form, no matter if the patient is unconscious. “It becomes extremely frustrating. That’s in normal times,” he says. “When something like this happens and now you’ve got dozens of victims and no one will share information without signed consent, it just makes you crazy.”
The federal government can waive HIPAA in emergencies precisely for this reason. Unfortunately, parts of HIPAA can cause confusion not only during these big emergencies but every day.
