How is it legal for a hospital to put two patients together in the same room in the US?

Question

In the United States we have HIPAA regulations in place to (among other things) prevent healthcare providers, insurance providers, and any other entity that handles medical information from leaking patient information.

From my experience with various HIPAA certifications, it seems pretty stringent. No leak is too small.

So how is it legal for a healthcare provider to pair up two or more patients in a single room, when they are under inpatient care for several days?

I ask this because I recently stayed in the hospital for 2 nights. Never spoke one word to the old guy I was roommates with. When I was discharged, I knew the following details about him:

• his full name
• his DOB
• his medical record # (if I felt like writing it down)
• some of his prior health history (he fought, and won, a battle with colon cancer)
• the reason he was in the hospital now (hasn't pooped in over a week)
• current health concerns (doctors wanted to do a biopsy to make sure the colon cancer wasn't back)

These were all details given verbally by one or many different doctors or nurses over the course of my 3 days, 2 nights in the hospital.

Of course, I'm sure he knows a lot of my details now, too, for the same reason - we were inpatient roommates in the hospital and the doctors used no discretion when discussing my condition.

So how is this legal?

Answer 1

As a short answer, guidance from the Department of Health and Human Services has clarified that HIPAA does not require hospitals to provide separate rooms.

As a longer answer, HIPAA is very deeply misunderstood. It does not prohibit "leaking" patient information; it prohibits unreasonable and unpermitted disclosures of protected health information (PHI).

Among the PHI disclosures that are permitted are uses that are for the purpose of delivering medical treatment. Of course, the covered entity (in this case, the hospital) is required to take reasonable measures to safeguard that information.

One of the areas that trips people up is figuring out exactly what it is we're safeguarding that information from. A lot people assume that the HIPAA imposes an absolute rule against disclosure of PHI, but it's more accurate to say that HIPAA requires reasonable safeguards against the unauthorized use of PHI.

With that standard in mind, it becomes easier to see why you don't need to universally separate patients. In all likelihood, neither you nor your roommate is likely to use the other's PHI in any way not allowed under HIPAA. We can look at your question as proof: You've disclosed a person's health condition and medical history, but you were a reasonable person and omitted the man's name, birth date, record number, and anything else that might allow us to link that information to an individual.

Hospitals -- and the law -- recognize that most people have no interest in a random strangers' medical information, let alone plans to do something nefarious with it. Because there isn't much of a threat there, the hospital isn't required to take exhaustive measures to protect the information. But when you put all that information for every patient for every doctor for every department for every hospital into a single database, the information starts getting a lot more valuable. That's why there are much tighter regulations surrounding protection of electronic records.

Of course, the roommate situation might be different if the hospital had a patient that they somehow knew had a history of identity theft or even a history of disclosing PHI. I've never heard of this happening, but I'd imagine that that knowledge would require the hospital to either segregate that patient or otherwise take extra care to avoid disclosing any information about a roommate.

Answer 2

Aside from all else, it's a matter of practicality. For instance ADA requires government facilities to be wheelchair accessible, but many stations in the NYC subway are not because it's impossible - or to be more precise, impracticable.

Your thesis that HIPAA requires separate rooms would require either require a) that hospitals instantly slash their capacity by 50% (or more in the case of 3+ per room); or b) massive construction work, effectively the rebuilding of every hospital. It simply cannot be done.

Impracticability is a defense to pretty much everything.

Of course some would try, and potentially bankrupt themselves doing so... so Congress tends to cover that by codifying the fact that they don't have to do something that's impracticable. That's why ADA notches out exceptions for too-difficult projects, and HIPAA notched out an exception for shared rooms.