HIPAA, HIPAA, HIPAA!
If you are of a certain age, that may sound somewhat familiar. Most of us remember that Brady Bunch episode when Marcia got hit in the nose with a football and spent the next three episodes making everyone's life miserable about it, especially Jan. “Marcia, Marcia, Marcia!”
HIPAA is basically the Marcia of Healthcare.
The joke was that the name became bigger than the injury. HIPAA works the same way. Everyone invokes it, but nobody is entirely sure what it does. The acronym has become a conversation-ender, a sort of solvent for situations that feel like they might involve protected health information (PHI). The people who hide behind it have almost never read the statute (lately, anyway), and the people who hear it assume somebody, somewhere, must have.
Consider the family member who calls an emergency room because her adult son, who has a psychiatric history, was brought in three hours ago. She is not calling for details. What she wants is to know if he was there and for someone to call her when he is discharged so she can pick him up. Whoever was on the phone tells her they cannot confirm or deny whether anyone by that name is a patient.
In December 2025, NPR reported this exact scenario involving a mother named Laurie and her adult son at Munson Medical Center in Traverse City, Michigan.¹ She had asked the staff repeatedly to notify her when her son was released. They discharged him without a call, and he ended up walking home in his PJs through a bitterly cold night.¹ The staff who turned her away were not acting out of malice; they were following what they understood to be the law.
Unfortunately, they were wrong.
The Privacy Rule, 45 CFR § 164.510(b), permits a covered entity to share information with a family member, relative, close personal friend, or any other person the patient has identified when that person is involved in the patient's care or payment for care.² When a patient is incapacitated or otherwise unable to agree or object, providers may use their professional judgment to decide whether sharing information serves the patient's best interest.² Laurie was not asking for something HIPAA prohibited, just asking for something HIPAA permitted, to which the hospital said no to anyway. Written authorization was not required in this case and the Privacy Rule gave the hospital a way of saying yes.
What put her son out in the cold that night is a pattern that goes deep. So much so, that when forty-nine people were murdered at Pulse nightclub in Orlando on June 12, 2016, the mayor of Orlando publicly announced he had contacted the White House to "waive" HIPAA so that hospitals could share information with the victims' loved ones.³ The White House did not have to waive anything. The Office for Civil Rights (OCR) confirmed within days that the Privacy Rule already permitted providers to share information with family members and close personal friends of incapacitated patients, and that these disclosures were permissible to same-sex as well as opposite-sex partners.³˒⁴ Providers had been enforcing a restriction that did not exist, and in Orlando, they were pushing it in a crisis where the victims were predominantly gay men whose partners were, in many cases, the only people looking after them.
HIPAA is not a niche legal problem in healthcare. Since the Privacy Rule's compliance date way back in April 2003, the OCR at HHS has received over 374,321 HIPAA complaints.⁵ Of those, roughly 255,953 were found not to present eligible cases for enforcement, a category that includes complaints filed against entities HIPAA does not cover and complaints describing an activity that is not a violation.⁵ Two out of every three complaints that arrive at OCR describe something the law either does not govern or does not prohibit.
The law has a public relations problem, and people are getting hurt because of it.
This is not about HIPAA being too protective. The privacy of medical information is obviously worth protecting, and the Privacy Rule, assuming it's read carefully, is well-designed for doing just that. The problem is that the version of HIPAA most Americans encounter does not resemble what the law says. What people think of as HIPAA is an unwritten folk version of the statute.
The Health Insurance Portability and Accountability Act (HIPAA) was signed in 1996, and its original purpose had almost nothing to do with privacy.⁶ The law was about helping Americans keep their health insurance when they changed jobs. The "P" in HIPAA stands for Portability, not Privacy, which is something that surprises almost everyone. The privacy provisions came later when HHS published the Privacy Rule in 2003 as electronic health records proliferated and the question of who could access them became an issue.⁶
The rule that came out of that process was coming from the idea that health information needs to flow. Providers need to talk to other providers, hospitals need to communicate with insurers, and caregivers need to know what medications a patient is taking. The rule was designed to protect that information from people who had no reason to see it, not to wall it off from the people most involved in a patient's care. Calling a patient's name in a waiting room is not a HIPAA violation. Neither is a pharmacist allowing a spouse to pick up a prescription, or a nurse discussing a patient's condition with a family member who is present and whom the patient has not asked to exclude.² None of these require written authorization, so the Privacy Rule permits all of them.
So where did the folk version come from? To answer that we need to look at the penalty schedule.
HIPAA violations carry federal civil penalties that range—after inflation adjustments—from $145 per violation at the lowest tier of culpability to $2,190,294 per violation at the highest, with annual caps that scale accordingly.⁷ Criminal penalties for the misuse of PHI can reach $250,000 and ten years in prison.⁶ OCR has imposed 51 penalties specifically for failing to provide timely access to medical records, which says a lot about how often facilities get it wrong even in the direction the law most plainly requires.⁸
Now consider, if you will, the incentive structure this means for the front desk. Sharing information that the Privacy Rule permits carries risk. If you misjudge the situation, or if the patient later objects, or if a complaint lands at OCR, you could face investigation and your employer could face a fine. Refusing to share information doesn’t have this risk. Nobody files a complaint because a hospital was too quiet. No OCR investigation has ever been opened because a provider declined to disclose information to a family member. The penalty schedule punishes disclosure errors. Silence has no penalty schedule at all.
Every year, in every hospital in America, every staff member completes—or supposed to complete—their annual HIPAA training that ends up treating disclosure as the thing to fear. The permission structure, the part of the Privacy Rule that lets providers use professional judgment to share information with families, gets a paragraph—if that. Those trained under this know exactly what it risks there are in saying something and has almost no way to recognize when saying nothing is the thing that causes harm.
Consider a family member in a waiting room who calls the nurses' station to report that the patient was just started on a new blood thinner by a different provider, which is information the treating physician may not have. They are giving clinical information that could prevent a medication interaction, which is not a disclosure. So, it’s information that is flowing in the other direction and the Privacy Rule has almost nothing to say about it. Turning that family member away because "HIPAA" is not a privacy protection. The scenario is built from patterns that HIM professionals suffering from over-compliance training have documented for years, and it captures something the documented cases confirm from the other side.
The GAO found this very thing in mental health settings. Families of adults with serious mental illness reported being unable to get any information about a hospitalized family member's condition or treatment, regardless of whether the patient was incapacitated, whether the family was the patient's primary caregiver, or the provider had discretion under the Privacy Rule to share.⁹ The saying "HIPAA handcuffs" was born from psychiatric care specifically because the problem is so widespread that clinicians coined a term for it. And Americans see similar scenarios on t.v. and think it’s normal.
In Season 2, Episode 4 of The Pitt, a patient arrives at the emergency department with injuries from a parkour stunt for social media. His friend follows him into the treatment room with a camera rolling. Dr. Robby shuts it down, telling the friend he cannot film because of patient privacy laws.¹⁰ The scene looks like Robby handled this correctly, and every physician watching it would nod. The problem is that the Privacy Rule does not prohibit filming if the patient is present and does not object.² In this scene, the friend was there at the patient's invitation. The patient and the friend had been filming together moments earlier. Robby's reflex was to say, "you can't do that" without asking whether the patient cared. The sign that you sometimes see in an ER bay that says “no filming” is not for the patients or their family and friends, but for the staff.
Emergency physicians love The Pitt for its clinical accuracy, and that includes scenes like this one.¹⁰ The medical community's most celebrated realistic depiction of emergency medicine treated HIPAA over-compliance as the way things are done, and nobody in the room blinked.
HIPAA is hard enough on its own. But for the roughly 30 million people who live in Texas, there is a second law sitting on top of it.
Texas House Bill 300, signed by Governor Rick Perry and effective September 1, 2012, amended Chapter 181 of the Texas Health and Safety Code and created a state privacy framework that overlays HIPAA in every place where the state version is more stringent.¹¹ Under HIPAA, a "covered entity" means a health plan, a healthcare clearinghouse, or a healthcare provider who transmits health information electronically. Under Texas law, a covered entity also means any person who assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information (PHI).¹¹ That brings in accountants who touch health data, IT service providers, website operators, and anyone else whose work brings them into contact with the PHI of a Texas resident. The net is vastly wider here and the disclosure rules are tighter too.
HIPAA's § 164.512 lists more than a dozen circumstances in which a covered entity may disclose PHI without the patient's authorization, including public health activities, judicial proceedings, and law enforcement purposes.⁶ Under Texas law, electronic disclosures of PHI are only permitted to other covered entities for treatment, payment, or healthcare operations. Every other electronic disclosure requires the patient's explicit okay.¹² If a Texas provider shares electronic PHI for any of the federal exceptions that § 164.512 allows, and the patient has not authorized the disclosure, the provider has complied with HIPAA and violated Texas law.
The penalty structure hammers the point home. Texas imposes civil penalties of $5,000 per violation for negligent conduct, $25,000 per violation for knowing or intentional conduct, $250,000 per violation when PHI is used for financial gain, and up to $1.5 million for a pattern or practice.¹¹ These are separate from federal HIPAA penalties—and they keep stacking up. A single disclosure event at a Texas hospital can produce both a federal investigation by OCR and a state enforcement action by the Texas Attorney General, each with its own penalty schedule.
Imagine you are the compliance officer at a 25-bed Critical Access Hospital in West Texas. Your staff has sixteen beds occupied, two coders on payroll, no dedicated privacy officer, and an annual HIPAA training module that your vendor built to cover federal requirements. Texas HB 300 requires that training be customized to each employee's job function, completed within 90 days of hire, and repeated whenever there is a material change in state or federal law.¹¹ You are supposed to be training your staff on both, defaulting to whichever is stricter at each point, and documenting it all with signed attestations retained for six years. If you are doing this correctly in a place that small, you are doing something most compliance programs at much larger hospitals have not figured out.
The safe play is the one that protects the facility from the penalty schedule: say no to everything. When in doubt, cite HIPAA (or HB 300, though most staff will just say HIPAA because that is the word most people know). The law permits professional judgment, but the penalty punishes it.
There is one more wrinkle that one doesn't usually encounter until it rears its ugly head. HIPAA does not give patients a private right of action. If a covered entity violates your privacy rights under HIPAA, you cannot sue them for the HIPAA violation. You may file a complaint with OCR, and OCR may investigate if they choose, but that’s about as far as it goes.⁶ Most patients assume they can sue; they cannot. The enforcement mechanism is entirely administrative, which means that the only cop on this beat is OCR, an office whose enforcement staff has been cut by 45% since 2017 while complaint volume has more than doubled.⁸ But in Texas, we have a slightly different picture.
The Texas Attorney General can bring enforcement actions under HB 300, and the state law permits injunctive relief.¹¹ A person whose rights under Texas law have been violated can file a complaint with the AG's office, which has broader enforcement tools than OCR in some respects. The result is that a patient whose privacy has been violated has a somewhat better enforcement path than a patient in a state with no supplementary health privacy law, although not by much.
None of these failures originate in the statute, because the Privacy Rule is doing what Congress created it for. The failure is the layer built on top of it. The annual compliance training that teaches the prohibitions and breezes past the permissions. The enforcement office that is supposed to police it all who lost almost half of its staff while its caseload doubled. Meanwhile, the public believes HIPAA protects their Fitbit data (which is entirely outside the law's jurisdiction) and prevents their doctor from talking to their spouse (which the law expressly permits under the right conditions).
The law is actually fine. But, it’s the training that’s broken, and now there’s a culture that spawned from the training which is causing harm to patients and families, from psychiatric wards to small-town hospitals.
Nobody teaches the cost of saying too little, which affects those like Laurie, the partners in Orlando, and every family member holding a phone in a waiting room at two in the morning while the compliance department's spreadsheet stays clean.
References
¹ Howard M. HIPAA protects patient privacy, but some say it shuts out caregivers. NPR. December 10, 2025. https://www.npr.org/2025/12/10/nx-s1-5601929-e1/hipaa-protects-patient-privacy-but-some-say-it-shuts-out-caregivers
² 45 CFR § 164.510(b). Uses and disclosures for involvement in the individual's care and for notification purposes. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.510
³ Howard J. No, HIPAA was not waived in Orlando and here's why. CNN. June 14, 2016. https://www.cnn.com/2016/06/14/health/hipaa-medical-privacy/index.html
⁴ US Department of Health and Human Services, Office for Civil Rights. Guidance on HIPAA, same-sex marriage, and sharing information. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html
⁵ US Department of Health and Human Services, Office for Civil Rights. Enforcement highlights. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
⁶ Health Insurance Portability and Accountability Act of 1996, Pub L No. 104-191, 110 Stat 1936.
⁷ US Department of Health and Human Services. HIPAA administrative simplification enforcement. Inflation-adjusted civil monetary penalties as of January 28, 2026.
⁸ HIPAA Journal. State of HIPAA: 2025 predictions. https://www.hipaajournal.com/state-of-hipaa/
⁹ US Government Accountability Office. Mental health: HHS could play a larger role in helping states address challenges related to HIPAA's effect on care. GAO-16-727. September 2016.
¹⁰ The Pitt. Season 2, Episode 4. HBO/Max. 2026. HIPAA E-Tool analysis referenced for legal framing.
¹¹ Texas Health and Safety Code, Chapter 181. As amended by HB 300, 82nd Texas Legislature, effective September 1, 2012.
¹² The HIPAA Guide. Texas HB-300 compliance. https://www.hipaaguide.net/texas-hb-300-compliance/