Misunderstanding of Privacy Law at Virginia Tech

I’ve talked before about how front-line health care workers withhold information because they misunderstand privacy law (or sometimes use it as an excuse). Now it appears the same problem helped bring about the horrific Virginia Tech shootings earlier this year. The state panel investigating the incident has released its final report, which blames university officials for letting the mentally deranged student who perpetrated the shooting slip through the cracks because their misinterpretation of privacy laws made them believe they could not share information about him. In fact, as the report’s privacy chapter perfectly sums up:

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option — even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Privacy statutes are far from perfect, of course — the report highlights some inconsistencies between the federal privacy laws governing health care (HIPAA) and education (FERPA). But the more significant flaw is a widespread system failure where institutional over-reaction to privacy statutes prevents even their most optimally balanced provisions from working properly. This risk-aversion surely is not based on over-enforcement. I believe it is still true that no one has ever been fined for violating HIPAA. It seems the problem is the complexity of the rules, both real and perceived. Maybe this report will kick-start efforts to solve that problem, but I’m not optimistic.

3 Responses to “Misunderstanding of Privacy Law at Virginia Tech”

  1. I have had very similar issues with trying to care for my parents. The pattern is for the providers is to protect the information and to “play it safe”.
    HIPAA has a clear exemption for family and in situations where the Health Care Provider feels it is in the best interest of the patient to release information. However, since there is a risk of suit if they DO expose the information and NO risk of suit for not revealing the information…. no information is released.

  2. I agree 100% with your standing on the issue. the misunderstanding of privacy laws played the role in the virginia tech shooting, and if proper action had been taken then we the shooting could have been avoided or prevented.

  3. HIPAA has a clear exemption for family and in situations where the Health Care Provider feels it is in the best interest of the patient to release information. so far is information is released.