Hospitals and doctor offices are great settings for dramatic stories – doctors and their patients, as characters, offer lots of opportunity for conflict and resolution. Add some plot and themes and you have a hit show. A few of the popular television shows include House, Scrubs, ER, Grey’s Anatomy and Nurse Jackie – and there are many more!

It’s good television for another reason – medical care is a private experience so the opportunity to see and hear what is usually behind closed doors is fascinating. Believable, dramatic stories create huge audiences. Recently, a friend convinced me to watch some Grey’s Anatomy (Seasons 13 and 14) and I was struck by how many times HIPAA came up. Interestingly, sometimes they got it right! But not always.

Below are some examples of characters and plot lines related to patient privacy – these are fictional characters’ names from Grey’s Anatomy, an ABC drama still going strong after seventeen seasons.

Doctors Sharing PHI with Other Doctors

An ER doctor (April Kepner) was treating a pregnant patient who arrived in the emergency room in distress. The patient said “my baby has a heart condition and my Ob/Gyn doctor at this hospital is Arizona Robbins, could you page her?” The patient’s husband came in, and he was Dr. Kepner’s former fiancee. It was awkward. Dr. Robbins arrived, checked out the pregnant patient, decided surgery was needed, and sent her to the O.R. Dr. Kepner immediately confronted Dr. Robbins and asked “why didn’t you tell me you were treating my former fiancee’s wife?” Dr. Robbins replied, “Because of HIPAA – that is confidential”.

This is the correct answer. Although HIPAA permits health care providers to share protected health information (PHI) with other health care providers without authorization in some circumstances, this example is not one of those circumstances. Information may be shared between providers if it’s for the purpose of treatment, payment or health care operations. Since April Kepner, the ER doctor, had no part in treatment of the pregnant patient before she arrived in the ER, it would have been inappropriate for Dr. Robbins to tell her “By the way, your former fiancee’s wife is my patient.” After she arrived in the ER, the the doctors may freely discuss PHI if necessary for purposes of treatment, without the patient’s authorization.

Similar plot lines occur in other seasons. The ensemble cast of characters all know one another, with shared histories, friendships and romances, so casual conversations and gossip happen. But casual conversations between doctors about patients, if they’re for purposes of treatment, are permitted.

Speaking with Family and Friends

Dr. Maggie Pierce knew her mother was receiving breast reconstruction surgery at the hospital to be done by her colleague Dr. Jackson Avery. She is against the surgery, thinking it’s for vanity and unnecessary, and tries to talk to Dr. Avery about it. But he won’t tell Maggie that her mother actually has cancer and the surgery is part of her treatment. She is furious with Jackson when she finally learns the truth from her mother.

Dr. Jackson Avery was correct. Although HIPAA allows health care providers to share PHI with family and friends, this is only after the patient has had the opportunity to agree or object. The general rule is that it is the patient’s decision, and providers should ask the patient first. If the patient is unable to agree or object because they’re unconscious or incompetent, a provider may use their experience and professional judgment, follow the minimum necessary rule, and document it. In this example, Maggie’s mother had expressly asked her doctor not to tell Maggie.

Cybersecurity and Ransomware

One of the most dramatic and surprising episodes in Season 14 was about a ransomware attack on Grey-Sloan Memorial Hospital. Since 2017, ransomware in health care has grown exponentially, and in 2020 increased by 715% worldwide. The chaos of the coronavirus has also contributed to cybercrime including ransomware this year.

The episode aired in November, 2017, and got a lot of things right. The electronic health records became inaccessible, forcing staff to rely on pen and paper and person to person communication; the HVAC system was delivering heat instead of air conditioning and the combination lock to an internal blood bank storage room could not be opened. The cyber thieves demanded a $20 million ransom, in bitcoin, to release the hospital records. The FBI showed up and began a forensic investigation to discover the source. They urged the hospital not to pay the ransom.

What the show got right: Ransomware happens to hospitals and can make patient records inaccessible. Cyber thieves can also reach beyond patient records to any system connected to the internet – locks, HVAC systems, security systems and cameras are all part of the “internet of things” and are vulnerable to malware and manipulation through electronic system connections tied to the internet. The cyber thieves demand payment, but the FBI recommends that the hospital NOT pay the ransom. It’s a terrible choice.

What the show got wrong: A medical school intern who was an amateur hacker was able to reverse engineer the entire ransomware attack in short order and unlock all the patient records, the HVAC system and door locks. No ransom was paid. But ransomware attacks are not easy to reverse engineer, and the damage is usually severe, lasting days or weeks before records are recovered (if ever). The show never mentioned the importance of Risk Analysis – Risk Management, and the single most important step to prevent ransomware – daily data back up.

Health Privacy Matters

Even if they don’t always write accurately about HIPAA, television writers are showing us that health privacy matters. Television audiences value privacy and understand enough about HIPAA to see that health care providers grappling with privacy and security make mistakes.

Is Grey’s Anatomy a place to learn about HIPAA? No, because they may not get it right, but ABC is selling drama, not compliance, and sometimes a dramatic story requires some poetic license.

If you have questions about HIPAA, from any source, ask us at The HIPAA E-Tool®.

Free HIPAA Checklist
What best describes you?