Cannot Confirm or Deny – When Concerns about HIPAA Violations Surpass Reality

Cannot Confirm or Deny - When Concerns about HIPAA Violations Surpass Reality

Healthcare providers are still confused about when and how much information they are allowed to share while still complying with HIPAA regulations. This often leads to situations where family members struggle to uncover the truth when a relative is suddenly hospitalized. Any sudden healthcare crisis can prompt the start of a rough day or week, but this is made even worse when family can’t even access the most basic of information–where their relative is hospitalized.

Has Healthcare Privacy Gone Too Far?” by Kelly Burch on the new VICE channel TONIC elaborates on the situation:

Last year, my father had a medical emergency. When his visiting nurse found him confused and barely responsive, she called 911. As the paramedics rushed him to the hospital in an ambulance, the nurse called to fill me in, but couldn’t tell me the one thing I needed to know: which hospital they took him to. I spent the next hour calling local ER after local ER, and receiving the same, infuriating reply:

“We can’t confirm that we have a patient meeting that description,” receptionists at three area hospitals told me. 

The article expands on the reasoning behind the over-cautious procedures:

Michael Herrick, CEO of, which provides cyber security and HIPAA compliance services to hospitals, said that misunderstanding of HIPAA is a widespread issue, despite the fact that the medical community has had two decades to adjust. Any family member who has desperately searched hospitals for a loved one knows the overwhelming sense of helplessness that can come from butting your head against the privacy wall. 

Like most hospitals, Lawrence General, where my Dad was admitted, takes extreme measures to comply with HIPAA, the Health Insurance Portability and Accountability Act. The law, passed in 1996 and slowly phased into health care practices since, aims to protect patient privacy. HIPAA “strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing,” according to the Department of Health and Human Services. The potential for steep fines—and even public shaming, since providers must publicly disclose HIPAA violations—have led to many healthcare organizations taking an extreme interpretation of the law.

However, HIPAA policy is clear that the act is not meant to stand in the way of family members finding out about their loved ones. The Health and Human Services website specifically says that medical professionals can notify family members about a patient when the patient agrees “or does not object.” In fact, even if a patient is unresponsive, a medical professional can notify family of their condition “when, in exercising professional judgment, determines that doing so would be in the best interest of the patient.”

HHS maintains a whole page of frequently asked questions regarding medical disclosure to family and friends, and in almost every case the answer is “Yes,” the disclosure is allowed. Confirming that a patient is in the hospital is not a HIPAA violation. Yet many hospitals still train staff to never disclose information over the phone. 

Continue reading here.

HIPAA violations are nothing to scoff at, but they should never come between worried family members and out-of-contact patients. Surely connecting patients with concerned family members is a part of putting patients first.

Scroll to Top

Download "HIPAA-Secure Smartphones"

You already have all the technology you need to secure smartphones at your company. All you need is some guidance about what really works. In our BYOD Blueprint, I’ll show you simple steps you can take right now to reduce cybersecurity threats from employee smartphones.

To download your copy of “HIPAA-Secure Smartphones”, simply provide your email address below.  A download link will appear shortly after