I’ve talked before about how front-line health care workers withhold information because they misunderstand privacy law (or sometimes use it as an excuse). Now it appears the same problem helped bring about the horrific Virginia Tech shootings earlier this year. The state panel investigating the incident has released its final report, which blames university officials for letting the mentally deranged student who perpetrated the shooting slip through the cracks because their misinterpretation of privacy laws made them believe they could not share information about him. In fact, as the report’s privacy chapter perfectly sums up:
The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option — even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.
Privacy statutes are far from perfect, of course — the report highlights some inconsistencies between the federal privacy laws governing health care (HIPAA) and education (FERPA). But the more significant flaw is a widespread system failure where institutional over-reaction to privacy statutes prevents even their most optimally balanced provisions from working properly. This risk-aversion surely is not based on over-enforcement. I believe it is still true that no one has ever been fined for violating HIPAA. It seems the problem is the complexity of the rules, both real and perceived. Maybe this report will kick-start efforts to solve that problem, but I’m not optimistic.