HIPAA – I Do Not Think That Word Means What You Say It Means
Whenever someone tells you they are required to do something under HIPAA, they are usually wrong. And whenever they tell you they are not permitted to do something because of HIPAA, they are also usually wrong.
AI Governance by Terms of Service is Not Governance at All: The Anthropic Case, White House Policy, and the Coming Race to the Bottom
Whenever someone tells you they are required to do something under HIPAA, they are usually wrong. And whenever they tell you they are not permitted to do something because of HIPAA, they are also usually wrong. The best advice with respect to HIPAA is usually: “I do not think that word means what you think it means.”That observation moves from clever aphorism to operational reality when you look at how healthcare systems are actually designed—and how poorly understood the underlying law often is.A recent episode of The Pitt (Season 2, Episode 12) offers a near-perfect illustration. A patient in the emergency department assaults a nurse. Subsequent lab work reveals the presence of alcohol and cocaine, and the patient admits to recent use—what he casually describes as a few “birdie bumps.” The legal question is straightforward: May that information be disclosed to law enforcement without a warrant?What is striking is not the legal answer. It is the lack of consensus about what the answer even is.I posed that exact scenario to two experienced emergency physicians. Their conclusions could not have been more different. One was adamant that disclosure of the lab results and the patient’s admission would be prohibited absent a need to prevent imminent harm. The other was equally certain that disclosure was mandatory in connection with the assault. Same facts. Same statute. Completely divergent interpretations. Tomayto, tomahto.This is not a failure of intelligence or training. It is a reflection of how HIPAA actually works.The HIPAA Privacy Rule, codified at 45 C.F.R. pt. 164, is not a simple prohibition on disclosure. It is a conditional permissions framework layered on top of other legal regimes. It permits disclosures to law enforcement in defined circumstances, including reporting crimes on the premises. 45 C.F.R. § 164.512(f)(5). It permits disclosures to prevent or lessen serious and imminent threats. 45 C.F.R. § 164.512(j). It incorporates a “minimum necessary” standard. 45 C.F.R. § 164.502(b). And it coexists with more restrictive laws, including 42 U.S.C. § 290dd-2 governing substance use disorder records, as well as a patchwork of state reporting statutes.None of this resolves cleanly into “must disclose” or “must not disclose.” In most cases, HIPAA answers a narrower question: when may you disclose? Whether you must disclose—or whether you are prohibited from doing so—often depends on entirely different laws. We also have to consider mandatory disclosure laws and the difference between HIPAA and doctor-patient privilege.Courts have repeatedly emphasized this distinction. In Northwestern Memorial Hospital v. Ashcroft, 362 F.3d 923, 925–26 (7th Cir. 2004), the court made clear that HIPAA is not an evidentiary privilege but a regulatory scheme governing disclosures. The Department of Health and Human Services likewise stresses that the Privacy Rule is designed to facilitate appropriate information sharing, not to block it reflexively. See U.S. Dept of Health & Human Servs., Summary of the HIPAA Privacy Rule.All of which would be manageable if this were merely a legal debate. It is not.Healthcare security and authentication systems—access controls, identity verification, audit logging, and data segmentation—are routinely engineered around the concept of “HIPAA compliance.” But those systems depend on the assumption that the underlying rules are understood and can be translated into deterministic logic.They cannot.Engineers want binary conditions: Allow or deny. HIPAA provides contextual standards: permitted if necessary, appropriate, and consistent with overlapping legal obligations. When you attempt to encode that into a system, you are forced into over-simplification. Either the system becomes overly restrictive—blocking disclosures that are legally permissible—or overly permissive—allowing disclosures that expose the organization to liability.In practice, most institutions default to restriction. It is safer to say “no” and invoke HIPAA than to risk a questionable disclosure. But that defensive posture has its own costs: impaired coordination with law enforcement, delayed responses to safety incidents, and a culture in which “HIPAA” is used as a shorthand excuse rather than a legal analysis.The Pitt scenario exposes the deeper flaw. If two experienced emergency physicians cannot agree on whether disclosure is permitted or required, what exactly is a “HIPAA-compliant” system supposed to enforce?The answer, increasingly, is that it enforces a caricature.Rather than implementing the nuanced permissions of 45 C.F.R. § 164.512, systems encode simplified proxies: Flags for “law enforcement request,” rigid role-based access controls, and blanket prohibitions on certain categories of data. These proxies may approximate compliance, but they do not reflect the law itself. They reflect an institutional interpretation of the law—often the most conservative one. When I was at DMV in Maryland and attempted to get a copy of my eye exam from one of the large chain optometrists, I was told I could not get them by fax or email because of HIPAA. I do not think that word means what you think it means.The result is a kind of compliance theater: Systems that are labeled “HIPAA-compliant,” users who believe they are constrained by rules that do not exist, and disclosures that are either improperly withheld or improperly made.The solution is not to abandon compliance, but to reconceptualize it. HIPAA should be treated as one input into a broader governance model—one that accommodates context, integrates other legal requirements, and recognizes that some decisions cannot be reduced to code. Systems should support informed decision-making, not attempt to replace it.Until that happens, we will continue to see what The Pitt dramatizes so effectively: Not just medical crises, but legal ambiguity—played out in real time, by professionals who are doing their best to navigate a statute that is far more permissive, and far more complex, than most people realize.Which brings us back to the adage. When someone invokes HIPAA to explain why they must act—or cannot act—the correct response is skepticism. Not because HIPAA is unclear, but because it is rarely understood in the way it is being invoked.And building systems on top of that misunderstanding is, at best, imprecise—and at worst, indefensible. We need a lawyer in Room 12. Stat.
About Author
