Comparing the federal privacy laws

Unlike with FERPA, reporters aren’t calling for a congressional “fix” of HIPAA. Since the real issue appears to be misinterpretation and misapplication of the law, Ornstein said health facilities need further education and retraining about what HIPAA does and does not do.

But LoMonte said FERPA and HIPAA have some troubling similarities. “In both cases there are widespread misperceptions about what is and isn’t covered, and the cultural norm has become, when in doubt, to disclose nothing,” LoMonte said.

Even though HIPAA only applies to disclosures by health care providers and health insurers, “the idea has become stuck in the general public’s heads that anything referring to someone’s health is confidential,” said LoMonte, who has heard of photographers being banned from taking a picture of an athlete’s leg being taped up in the locker room because the school thinks that violates HIPAA. Still, LoMonte said the frequency of those misinterpretations “really pales in comparison” to FERPA.

While both FERPA and HIPAA are frequently misapplied, the DPPA leaves less room for misinterpretation. “The DPPA is so laser-focused on driver license and registration records, there’s less room for subjective judgment calls,” LoMonte said. “We rarely hear of someone being falsely told that a record is secret under DPPA. If DPPA was invoked, unlike FERPA, it’s usually because DPPA actually does apply.”

Both FERPA — with its roots in protecting schoolchildren from embarrassment based on 1970s social science research — and DPPA, which many argue is obsolete in the information-age of the Internet, protect against harms that some see as only a theoretical risk. HIPAA, on the other hand, stems from the widespread and current abuse of patient health information.

“The issue of hacking into financial, insurance and health information by doctors and nurses who should know better is very real and that shouldn’t happen,” Ornstein said. When institutions are faced with these legitimate concerns about privacy, they are often more likely to err on the side of nondisclosure, which makes journalists’ newsgathering especially difficult.

“What all three statutes also have in common is that they have generated such a pervasive fear of the results of non-compliance that impacted institutions would much rather risk a suit under the relevant public records statute than to disclose information covered by either of the three statutes,” Harry Hammitt, vice president of the Virginia Coalition for Open Government, wrote in a report on federal controls of information disclosure.