Human Subject: An Investigational Memoir

Previous chapter | Contents | Next chapter | References | Contact


22. Public-Private Puzzlement

“Le savant ne cherche donc pas pour le plaisir de chercher, il cherche la vérité pour la posséder, et il la possède déjà dans des limites qu'expriment les sciences elles-mêmes dans leur état actuel.”

Apparently I wasn’t going to get any real help from the formerly helpful lady in the dental school—maybe my grievance didn’t rise to the appropriate level of privacy invasion—so I looked for other options. I finally located the procedure for filing a complaint with the HHS Office of Civil Rights under HIPAA (the Health Information Portability and Accountability Act of 1996).

Until then, I had tried to ignore HIPAA, even though it’s a frequent subject of discussion among IRB professionals (a search of the IRB Forum retrieves 783 messages with “HIPAA” in the subject line). For some reason, it irked me that a law meant to guarantee portability of health coverage had become best known as a protector of privacy. It seemed to me that the original intent of the law had been forgotten in the confusion over what it did or didn’t say about what information you could or couldn’t release. Even on the HHS home page, the only information about the law is at a link called “Health Information Privacy (HIPAA),” as if the ‘P’ stood for privacy rather than portability.

It’s no wonder that health-care providers are so confused by the HIPAA privacy regulations. A document called Summary of the HIPAA Privacy Rule is 25 pages long, and the rule itself (45 CFR 160) runs to more than 100 pages. And it’s all Congress’s fault: They had three years from the passage of the act to institute a privacy law, and because they didn’t, it was up to HHS, which issued the final regulations in 2003.

In some ways, HIPAA reminds me of FOIA and its state and local counterparts: What used to be a simple matter of asking someone for information has become mired in regulation and red tape. In the case of HIPAA, the law is meant to keep information out of the wrong hands. It says that health-care providers are allowed to share information with others as long as the patient doesn’t object, but it doesn’t require them to give out any information. Public-disclosure laws do just the opposite in requiring that government agencies make information available; they don’t state that a formal request is the only way that a person is allowed to ask for information, but that’s pretty much the only way that government offices will accept a request.

Providers have misinterpreted HIPAA to mean that no information can be shared, while government officials have misinterpreted FOIA and its state equivalents to mean that no information should be shared without going through a formal process. In both cases the result is restricted—or at least delayed—access to information. In my case, since I had asked for both public and private information simultaneously, the two processes had gotten inappropriately and unnecessarily entangled. It was the perfect case to illustrate how these regulations can turn information seeking into an exercise in absurdity.

As a New York Times article pointed out, the experts at misinterpreting HIPAA are the keepers of the information, i.e., health-care workers. There have been instances of birthday parties in nursing homes that were cancelled for fear that revealing a resident’s age was a HIPAA violation. In some doctors’ waiting rooms patients are assigned code names, such as “Zebra” or “Elvis,” so that they can be summoned without being identified. Then there was the case of the doctor’s receptionist who told a patient on the phone that she couldn’t reveal the doctor’s whereabouts “because of HIPAA.” (Gross, 2007)

According to the article, Sen. Edward Kennedy, an original sponsor of health-portability legislation, is so dismayed by the incomprehensible jumble of regulations that he and Sen. Patrick Leahy plan to introduce a law that would create a special office in HHS for interpreting and enforcing the privacy rule. Yes, that’s just what we need: another HHS office to explain its regulations to us.

In reality, the HIPAA privacy rule allows health professionals to share protected health information (PHI) with a patient’s family and friends, unless the patient objects. It also allows hospitals to disclose “directory information” about patients to anyone who asks, including reporters. This information may include name, location within the hospital, general condition, and room telephone number. The patient is given the option to prevent disclosure of any or all of this information. However, in many cases health-care providers have told reporters that HIPAA prevents them from speaking to the press at all.

The Washington City Paper got in trouble with HHS for disclosing patient information obtained during a reporter’s ride-along in an ambulance. This disclosure might have been a real cause for concern, except that the information was obtained not from the emergency workers but directly from the patients, who knew they were talking to a reporter. The uproar over this “violation” caused the Washington, D.C., fire department discontinue its media ride-along program. (Gross, 2007)

Statistical information contains no PHI, and therefore is not covered by the privacy rule. Some facilities, however, have used HIPAA as an excuse for not releasing such data, as when a Dallas TV station sought statistics on alleged sexual assaults at state mental hospitals. A Texas appeals court ruled that this was not covered information under HIPAA.

It isn’t just the health-care providers who have HIPAA trouble. IRBs differ in how they interpret the privacy rule. For example, at one institution the IRB may allow researchers to comb patient records for possible study subjects, while another strictly forbids such harvesting (Reitz, 2005).

HHS doesn’t seem too interested in fining or otherwise punishing violators of the privacy rule, at least not when the violation consists of withholding information. In the four years that the privacy rule has been in effect, the government has levied no fines, even though it has received nearly 30,000 reports of violations. There have been only two prosecutions of people who disclosed or misused PHI. In fact, according to an HHS spokesperson quoted in the New York Times article, the only privacy complaints that have been investigated are the ones filed by patients who were denied access to their own records.


I thought I should give the lady in the dental school one more chance to respond, so I emailed her again. I also contacted someone in the dental research clinic. They both ignored me, having concluded, no doubt, that I was a wacko with too much time on my hands. As if to prove their point, I downloaded the Health Information Privacy Complaint form and filled it out.

The form (HHS-670, available on the OCR Web site) was really quite simple and straightforward. It just required my name, contact information, and a description of what had happened. “How and why do you believe your (or someone else’s) health information privacy rights were violated, or the privacy rule otherwise was violated?” asked the form. “Please be as specific as possible. (Attach additional pages as needed)

So here’s what I wrote:

“I asked a dentist for information about a study I had participated in. He sent my request to the university's public-records office. The package I got from them included my personal health record, which someone had apparently sent to the public-records office instead of directly to me. The dental school staff won't respond to my requests for an explanation.”

I managed to fit it into the four lines given, so I didn’t need to use extra pages. Then I printed the form and addressed an envelope to the OCR office for my region. I thought it was telling that a department committed to ensuring the secure electronic flow of health information didn’t even trust its own computer system enough to allow complaints of violations to be submitted online.

Before mailing the complaint, I tried one avenue that I had hitherto avoided: I wrote to the director of InfoGuard. I had to use the generic email address from which the previous anonymous messages had come, because, despite assiduous application of my reference-librarian skills, I could not find an email address for the director. I asked her two questions: (1) How did they get my mailing address? (2) Why did the packet they sent include my personal medical information?

And you the reader are probably asking one question: Why did I not just pick up the phone and talk to the people who could provide the information I needed? I wish I could say that it’s because I’m a deaf mute, or because I have some physical disability, but my reasons for eschewing the telephone are all in my head. That is, I suffer from severe telephonophobia. Not professionally, mind you. I can answer calls in the workplace from total strangers all day long. But as soon as it gets personal, i.e., if someone wants to talk specifically to me or if I need to conduct a personal transaction, I will do anything to avoid telephonic communication. For me, the advent of email was like getting a replacement for a missing limb: At last I could function on a daily basis in a way that didn’t feel awkward and abnormal.

There are some well-known limitations of phone communication, such as being unsure of whether you’re calling at an appropriate time and not knowing whether someone is smiling, grimacing, or yawning at what you just said. But for me it goes much deeper. Every time I call someone I feel as if I’m barging uninvited into the person’s office, home, or car (widespread mobile-phone use has added to my anxiety by introducing the possibility that my call could be downright deadly, rather than just inconvenient). Then, after I have thoughtlessly wrested someone’s attention from dinner, TV, or the oncoming traffic, I feel duty-bound to be articulate, brief, witty, and whatever else the occasion demands. If I fumble for words, if there’s a bad connection, if the other person seems impatient, hostile, or even just slightly confused, I start to sweat profusely and laugh inappropriately.

Email is so obviously preferable to the telephone in so many ways. It gives you time to organize your thoughts and express them with just the right words. You don’t have to worry about interrupting anyone, because correspondents are free to read and reply to your message when it’s convenient for them. And phone conversations rarely leave a written record (unless of course you’re of a Nixonian bent).

Those on the cutting edge of electronic communication don’t use email much anymore. They say it’s a 20th century technology that will soon be completely replaced by instant messaging, text messaging, and whatever instantaneous method is just down the pike. I hope they’re wrong. For one thing, those other modes are temporally the equivalent of calling someone on the phone: If the person is available to chat or read a text message, an instant reply is expected. Also, it’s hard to be thoughtful and thorough in quick message exchanges, especially if you’re typing with your thumbs.

If I could find a clinical trial that was testing a cure for telephonophobia, I would sign up in a minute. I would even undergo a screening by phone (an ordeal I’ve endured repeatedly throughout this narrative, but always, of course, in the furtherance of generalizable knowledge rather than for my own personal benefit). Unfortunately I don’t think the phenomenon is widespread enough to merit serious investigation.

Oddly enough, most people seem to prefer the more invasive and less reflective modes of communication. For many, the telephone has become a permanent ear accessory. Ten years ago you would never have heard what seems to be the most-asked question by people who call other people on the phone: “Where are you?”

No, I wasn’t about to ring up any of the people who hadn’t responded to my email messages. If they wanted to ignore me, they would have to do so on my terms.


I received no reply from the head of InfoGuard, so I went ahead and mailed my privacy complaint to OCR. Three days later I got a latter from the regional OCR manager. “We are in the process of reviewing your correspondence,” she wrote, “to decide whether OCR has authority and is able to take action . . .” She had enclosed a Complainant Consent Form, which they would need if they determined that they had the authority to take action. It seemed kind of redundant—hadn’t I consented already by submitting a complaint form? —but I signed the form and mailed it back to her.

That same day I realized that I hadn’t told OCR that the dental records were under the name Janice Jones. I searched until I found an email address for the regional manager. In my message I thanked her for her reply, gave the additional information, and asked if she could suggest any other recourse, in case it turned out that OCR lacked authority. She never replied.

A week later I got an email from the dental school’s administrative director. She attached a letter she had tried to send three weeks earlier, which had been returned because a digit was missing at the beginning of my address. The letter basically said that InfoGuard is a fine, upstanding bureaucracy that specializes in figuring out what information to release to whom, and that’s why the dental school sends them every request for information that it gets, and that InfoGuard always does the right thing and can be trusted to keep a secret.

I wrote back to her, with a copy to the OCR director, saying that I was sure the InfoGuard staff were honest and scrupulous and a friend to all and a sister to every other Girl Scout (OK, not quite in those words), but that it was still a violation of my privacy to release personal health records requested by me to someone other than me, especially when the consent form I’d signed had promised that such a thing would never happen.

I didn’t expect to hear from either of those dedicated civil servants again, but a few weeks later I received a call from an OCR investigator. She betrayed her ignorance of, or disregard for, the facts of thes case by beginning with the question “Who is your dentist?” I told her that my complaint hadn’t implicated any personal dentist of mine.

“Oh?” She seemed confused. “But you wrote that you asked your dentist—“

“No,” I interrupted. “I wrote that I asked a dentist.”

There was a pause while she looked again at the complaint. “Oh, yes, I see . . .”

She asked me more questions to try to establish the facts. I lost all confidence in her ability to do so when she stated that the public-information office was called that because its job was to supply any and all information requested by the public. In the end she said that she would consult with her supervisor, but that she thought that what the dental school had done was perfectly appropriate.

Sure enough, the very next day the OCR manager wrote me a letter explaining that they weren’t going to pursue my complaint. Why? Because the dental school was complying with 45 CFR 164.514(d)(2)(i)(A) when it identified InfoGuard staff as people who needed access to PHI in order to carry out their duties. It seemed kind of tautological, or at least circular, to say, “We’re giving them the duty of handling people’s PHI, and in order to carry out this duty they need to handle people’s PHI.”

Around the same time that I received OCR’s determination that my complaint had no merit, I got another email from the administrative director at the dental school. She pretty much paraphrased what OCR had said, so I assumed that the two offices were in cahoots. I wrote back to her, asking where exactly it was written that they had identified InfoGuard as someone who needed access to my health records. Then I wrote to the clueless investigator (who, it turns out, had earned a Ph.D. in sociology by writing a dissertation about PTSD and Vietnam veterans), asking her the same question and adding another: What about the subsequent parts of section 164.514(d)(2)(i)? Specifically, had the dental school identified “the category or categories of protected health information to which access is needed and any conditions appropriate to such access” and had they made “reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section."?

I fully expected that my questions would be ignored, and the OCR investigator lived up to my expectation. All I got from her was this terse reply:

OCR administratively closed your complaint based on the information youprovided to us.If you would like additional information about how Big U handles privacyissues or its compliance with 164.514(d)(2), you can certainly contact Big U's Privacy/HIPAA compliance office directly.

In other words, the office that protects the confidentiality of our medical records relies on us to describe the situation completely and accurately, and it makes no effort to gather additional information. If the complaint doesn’t mention a particular law, the office assumes that the law doesn’t apply. It’s no wonder that HHS has pursued only one out of every 10,000 complaints it has received.

The answer that I finally got from the dental school lady was slightly more helpful. She pointed me to an official Big U document that designated “health care components,” such as the dental clinics and medical center, as well as “non-health care components” that perform support functions. The activities performed by InfoGuard were not on the list of support functions, but since it said the functions “include the following,” the argument that something wasn’t designated just because it wasn’t on the list would be pretty pointless. And by that time I had grown weary of pursuing my petty crusade against entrenched bureaucrats, so I really didn’t feel like arguing.


Previous chapter | Contents | Next chapter | References | Contact