This story is over 5 years old.


Has Healthcare Privacy Gone Too Far?

Hospital employees think they can’t reveal the names of their admitted patients. They’re wrong.

​​Last year, my father had a medical emergency. When his visiting nurse found him confused and barely responsive, she called 911. As the paramedics rushed him to the hospital in an ambulance, the nurse called to fill me in, but couldn't tell me the one thing I needed to know: which hospital they took him to. I spent the next hour calling local ER after local ER, and receiving the same, infuriating reply: "We can't confirm that we have a patient meeting that description," receptionists at three area hospitals told me.  I live a three-hour drive from my dad—and had a newborn at the time—so I couldn't just hop in the car and go find him. Desperate, I called the fire department in my father's town, and they connected me with his paramedic, who told me the hospital—and even my dad's bed number. ​But when I called back, the hospital receptionist still wouldn't budge. "We can't confirm…"  My mind went straight to the worst-case scenario: Dad's no longer in the ER, I thought. He's in the morgue.  Two hours later, he called—alive, responsive, and recovering.


While relieved, I was also furious. My concern for my dad's health was compounded by the frustration of hitting a wall that many hospitals erect in the name of privacy laws. Every day, thousands of American families go through the same process when a loved one is hospitalized, but this frustration is often in vain.

Despite what many people believe, no federal or state law bars hospitals from disclosing the names of patients who are admitted for care. Hospitals can maintain a directory of patients and are allowed to disclose general information about a patient's location and condition, but many institutions ignore this protocol, training employees to deliver nothing but that dreaded line: "We can't confirm…" 

Like most hospitals, Lawrence General, where my Dad was admitted, takes extreme measures to comply with HIPAA, the Health Insurance Portability and Accountability Act. The law, passed in 1996 and slowly phased into health care practices since, aims to protect patient privacy. HIPAA "strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing," according to the Department of Health and Human Services.

The potential for steep fines—and even public shaming, since providers must publicly disclose HIPAA violations—have led to many healthcare organizations taking an extreme interpretation of the law.

"There's still a fair amount of misunderstanding about what's allowed," says Matthew Fisher, chair of the health law group at Mirick, O'Connell, DeMallie & Lougee in Worcester, Massachusetts. "This results in hospitals being overly cautious."


Part of the problem is that while patient privacy is protected under HIPAA, there is no legal protection for the rights of a patient's family members. Human decency and common sense dictate that you should tell a crying daughter if her father is indeed in your hospital. However, if a hospital doesn't disclose that information, all they have is an annoyed community member. If the organization accidentally discloses HIPAA-protected information, the consequences are much more significant. While it's understandable why hospitals want to stay clear of HIPAA violations, the denial of basic information to callers often results in needless heartache for family members.

"It may seem like we're being overly stringent, but we need to err on the side of caution," says Maria Palumbo, the privacy officer at Lawrence General Hospital, where my father was treated. She added that in emergency situations in the ER, when there is often concern about taboo conditions like mental illness or addiction, or the patient is unresponsive, there is an even heavier burden of protecting privacy.

However, HIPAA policy is clear that the act is not meant to stand in the way of family members finding out about their loved ones. The Health and Human Services website specifically says that medical professionals can notify family members about a patient when the patient agrees "or does not object." In fact, even if a patient is unresponsive, a medical professional can notify family of their condition "when, in exercising professional judgment, determines that doing so would be in the best interest of the patient."


HHS maintains a whole page of frequently asked questions regarding medical disclosure to family and friends, and in almost every case the answer is "Yes," the disclosure is allowed. Confirming that a patient is in the hospital is not a HIPAA violation. Yet many hospitals still train staff to never disclose information over the phone.

"When callers ask if so-and-so is there, we simply don't confirm or deny," says one ICU nurse I spoke with in Michigan.

In another conversation, a behavioral health tech at a mental health facility in Missouri told me she was trained to give the same response. The closest she came to breaking the rules was offering to pass along a message "if the patient was there."

"I'm not sure if this was kosher with HIPAA, but our patients can't access their cell phones," she says, "so the only way patients can contact family is if we take messages or if they have the numbers memorized."

Another woman, a registration representative I spoke with in a Massachusetts emergency room, was also trained to keep quiet. "I never share information because I don't want the liability," she says. Although she sticks to hospital policy and discloses no information, she understands why callers are frustrated and emotional. "Everybody gets really angry," she says.

For emotionally strung-out family members trying to obtain the most basic details they're entitled to, this lack of cooperation is not only frustrating but potentially harmful. I spoke with Helen, a Washington, DC, woman who asked to remain anonymous. Her wife was hospitalized in a psychiatric ward and despite knowing exactly where her wife was, Helen hit the privacy wall each and every time she called.


"Whenever I called the unit, I was told they could not tell me if she was there or not because of HIPAA laws," Helen says. Even when Helen researched HIPAA and realized that the hospital was wrong, the staff refused to acknowledge it: "Even after I pointed it out to them while it was happening, they'd just repeat themselves and hang up," she says. "Later her case workers told me it was a misunderstanding that happens very often in that unit."

The issue culminated on the day of her wife's scheduled discharge.

"I called to see what time she'd be released and they refused to confirm if she was even there or not," Helen says. "Long story short, I had to take an entire day off from work so I could be home in case she came back." The hospital later released Helen's wife—but refused to let her use a phone to contact anyone for a ride. "She had to walk home with no phone, money, or ID," Helen says. "Totally avoidable had the staff understood HIPPA properly."

Michael Herrick, CEO of, which provides cyber security and HIPAA compliance services to hospitals, said that misunderstanding of HIPAA is a widespread issue, despite the fact that the medical community has had two decades to adjust. Any family member who has desperately searched hospitals for a loved one knows the overwhelming sense of helplessness that can come from butting your head against the privacy wall.

One way to streamline access to information during a medical emergency involves having the patient set up a healthcare proxy. This document appoints someone else to convey your wishes if you can't speak for yourself. If a proxy is on file, it's much easier to share information. "It takes the burden off of everyone and allows care to go a lot more seamlessly," Palumbo says. But, of course, because the proxy needs to be done ahead of time, it's not always a practical option for people who don't expect to be hospitalized.

When I pushed Palumbo to clarify Lawrence General's privacy policy for the ER and asked whether my experience was a mistake or not, she demurred, avoiding the question and refusing to comment specifically on my case.

However, an emergency room nurse at Lawrence General said that, according to her understanding of hospital policy, I should have been able to find out that my father was in the ER. ​

In an attempt to avoid confusion, the Department of Health and Human Services has been issuing information and clarification on HIPAA, for individuals and professionals. For now, however, obtaining information on a loved one often comes down to an individual hospital's policy, and—hopefully—a little decency from care providers.

Photo: Chris Whitehead/DigitalVision/Getty Images​