Does the Healthcare privacy law work in practice?

Team HHS
Team HHS
Mar 4, 2019 · 6 min read

Have you ever tried to get your personal health care information from a health care provider, only to be frustrated by consent forms, lack of electronic communication, or simply outright refusal to comply? Often such excuses devolve into ‘We can’t do [your request here] because of HIPAA’, and such misinterpretations of the law are more common than you think.

Even if you’ve been spared from such experiences, you’ve probably still visited the doctor’s office at some point in the last 15 years and interacted with this piece of legislation. Remember that form they asked you to sign which you skimmed (or didn’t read at all)? Most of us know it as ‘that privacy rights thing’, and it’s actually a small part of a big piece of legislation called the Health Insurance Portability and Accountability Act (HIPAA).

What exactly is HIPAA? To start, it’s legislation, passed by congress in 1996, finalized in 2003, substantially amended in 2009 and further augmented in 2013, designed to protect and improve the healthcare system for all Americans. From its beginning, HIPAA has been marred by skepticism from the healthcare industry. Some skeptics saw it as another bureaucratic barrier to providing efficient healthcare, while others wondered how these complex rules and regulations could be effectively enforced. In the intervening years, the healthcare industry has had time to adapt but many of the early criticism still stand, and now joined by a growing list of tech-related complications.

Image for post
Image for post
How HIPAA is often perceived in our cultural consciousness. Cartoon retrieved from:

In fact, HIPAA constitutes five titles, but most people focus on Title II: HIPAA Administrative Simplification. Title II seeks to establish a national standard for the transfer of electronic records and ensure healthcare information databases are secure. This part of HIPAA is where most of the criticism is directed towards. It is also where we come in.

The Harvard Team

Image for post
Image for post
From Left to Right: Jen, Bobby, Amy, Manasi, Rridhee, David. Not pictured: Shannon, Benno

We are a team of five Harvard students in DPI-663: Technology and Innovation in Government, a Harvard Kennedy School field course where students conduct original research to design and solve real problems in government. This spring, we are partnering with Amy Gleason, Shannon Sartin, and Benno Schmidt, three members of the Digital Service at the U. S. Department of Health and Human Services. Together, we will be tackling the challenge of helping both patients and providers navigate this oft-misunderstood legislative labyrinth.

Jen Chen is a second-year Master in Public Policy (MPP) candidate at the Harvard Kennedy School (HKS). Jen hails from sunny island Singapore, where she will return to work in the government after graduation. Jen spent four years in East Asia (Beijing and Tokyo), focusing on regional affairs and trade relations. She is now focusing on digital governance and tech development at HKS.

David Leftwich is a first-year Master in Public Policy (MPP) candidate at the Harvard Kennedy School. Born and raised in Pittsburgh, PA, he graduated from the University of Pittsburgh in the spring of 2018. David has interned with USAID, the Hudson Institute, and the State Department. David hopes to focus on digital governance and bringing more user-centered design to policy.

Manasi Maheshwari is a sophomore at Harvard College studying computer science and economics. From Fremont, CA, she has interned for CA-D17 Congressman Ro Khanna’s congressional campaigns, and as a software engineer improving user experience with chatbots. She is interested applying technology to improve government practices with a focus on human-centered design

Rridhee Malhotra is a second year Master in Public Policy candidate at the Harvard Kennedy School. She is from India and before HKS worked for four and a half years with Government of India on the world’s largest digital identity program called Aadhaar to deliver public services and cut down corruption in supply chain. After Kennedy School, she hopes to build systems which effectively manage the trade-offs between risks and opportunities of collecting data.

Robert ‘Bobby’ Wang is a masters student at the Harvard Graduate School of Design. He came to the USA from his small home of New Zealand six years ago to pursue a degree in industrial design at RISD. Since graduating he has practiced as both a designer and engineer in the tech sector. He is now in grad school focusing on the intersection of humans and technology.

The Problem

Our client for the semester, the U.S. Department of Health and Human Services, framed the problem this way:

The HIPAA privacy rule was designed to provide patients with access to their entire medical history, while simultaneously protecting the patient from the unnecessary disclosure of their medical information. HIPAA, however, is often used as the justification for not sharing medical information — even when the patient is requesting their own medical history. From the perspective of patients and clinicians, why is a healthcare policy designed to increase the portability of a patient’s medical history also a roadblock to accessible and interoperable medical information?

Ready, Set, Go!

We wanted to experience potential issues with HIPAA firsthand, and we all attempted to retrieved our own health records. It was surprisingly simple to get our own health records online within minutes.

However, upon some reflection, we became wary that this ease comes from the privileged positions that we hold. We all have access to top-tier healthcare providers with quick and easy access to personal information. This was confirmed by Amy, our HHS collaborator. She pointed out that most Americans do not have access to such systems and have to call in, or even make in-person visits, to retrieve their medical information.

More importantly, Amy informed us that these databases are flawed. Often, they contain incomplete patient histories without the details of each doctor’s visit. Further, they do not always include visits to medical providers outside of their health care system. The process of transferring information between caregivers can also be difficult, and HIPAA has commonly been cited as a reason for the reluctance to transfer the patient’s information — even though HIPAA allows patient record transfer among physicians, if they are treating the same patient.

Image for post
Image for post
The Longwood Medical and Academic Area contains a number of medical and research institutions and will serve as a great resource in our research. Image retrieved from:

Moving Forward

Our next step is to talk with caregivers, administrators, doctors, patients, and researchers. Fortunately, we live in Boston, which has one of the highest concentrations of medical and research facilities in the country.

Do you have firsthand experience with HIPAA? Have you had challenges getting access to your medical information? Let us know by emailing at

You can also help us with our research by sharing your experiences and opinions on the healthcare system in this survey.

Team HHS

Written by

Team HHS

Team HHS

Written by

Team HHS

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store