Freedom of Information

RTNDA'S GUIDE TO HEALTH COVERAGE UNDER HIPAA

Kathleen Kirby, RTNDA counsel

As a service to its members, the Radio-Television News Directors Association has prepared answers to the most frequently asked questions about HIPAA.

By now, many reporters have been denied access to medical information by parties citing HIPAA. While the HIPAA regulations do, in fact, limit the ability of many knowledgeable sources to discuss medical information, in the seven months since the HIPAA compliance deadline passed, it has become increasingly clear that the complex rule is being used to prevent the disclosure of newsworthy information even where it does not apply. Familiarizing yourself with the HIPAA basics may help you recognize situations in which HIPAA is being too broadly applied, and will help you educate your sources and operate within HIPAA requirements.

Q. What is HIPAA?
A. HIPAA is an acronym that stands for the "Health Insurance Portability and Accountability Act of 1996." HIPAA's medical privacy regulations govern the use and release of a patient's personal health information, also known as "protected health information" by "covered entities." The statute imposes serious criminal restrictions on dissemination of certain protected health information. The Department of Health and Human Services adopted regulations implementing HIPAA that essentially took effect in April 2003. In the event state law is more restrictive than the HIPAA privacy regulations, state law will apply.

Q. Who is considered a covered entity and subject to fines and penalties under HIPAA?
A. All health care providers, including hospitals, physicians and emergency medical or ambulance personnel, as well as health plans and health care clearinghouses, that transmit protected health information in electronic form are considered covered entities. Business associates of these entities (such as accountants, consultants, lawyers, managers, etc.) also are required to keep protected health information confidential.

Q. Are law enforcement agencies covered by HIPAA?
A. Police, firefighters and other law enforcement agencies are NOT considered covered entities under HIPAA. HIPAA does not extend, for example, to police incident reports, fire incident reports, court records, records of agencies that do not provide healthcare or insure healthcare, autopsy or any records which an individual has authorized to be disclosed.

Q. What if my fire department has an ambulance service?
A. Fire departments that provide ambulance or emergency medical services may consider themselves to be "hybrid entities" under HIPAA, and assume that no one in the department is allowed to talk to anyone, ever. If this is the case, you should approach your department about setting up procedures that allow the fire chief and/or the public information officer to get information without getting it from the people who are providing emergency medical services.

Q. Are family members and witnesses covered by HIPAA?
A. No. HIPAA only applies to health care providers who compile protected health information electronically and bill patients for their services, and their business associates. Family members, and even Good Samaritans, can provide information without running afoul of HIPAA.

Q. Are journalists covered entities under HIPAA?
A. No! A journalist who lawfully obtains or discloses protected health information does not violate HIPAA. Remember, however, that just because HIPAA does not apply does not mean that journalists who obtain and disclose medical information may not be liable under (depending on the circumstances) other causes of action, such as invasion of privacy.

Q. Can protected health information ever be released to journalists by a covered entity?
A. Protected health information can be released with the patient's consent. (In certain circumstances it also can be released to law enforcement, public health and disaster agencies.)

Q. What is directory information and can it be released to the media under HIPAA?
A. Under HIPAA, hospitals may maintain a directory including a patient's name, location in the hospital, general condition and religious affiliation. If a hospital maintains such a directory, patients must be given the opportunity to object to or restrict the use or disclosure of this information. In no event may information concerning a patient's religious affiliation be released, except to the clergy. Other directory information may be released only if the media or the public asks for the patient by name and only after the patient has been given the opportunity and consented to the release of directory information.

Q. If a patient has opted not to restrict information, what kinds of condition information may be disclosed?
A. If HIPAA privacy standards are met, information, such as general condition information (information that does not communicate specific information about the individual) may be released. The American Hospital Association recommends, and many hospitals are using, the following terms:
Undetermined - Patient awaiting physician and assessment.
Good - Vital signs are stable and within normal limits. Patient is conscious and comfortable. Indicators are excellent.
Fair - Vital signs are stable and within normal limits. Patient is conscious but may be uncomfortable. Indicators are favorable.
Serious - Vital signs may be unstable and not within normal limits. Patient is acutely ill. Indicators are questionable.
Critical - Vital signs are unstable and not within normal limits. Patient may be unconscious. Indicators are unfavorable.
Treated and Released - Patient received treatment but was not admitted.
With written authorization from the patient, a more detailed statement regarding a patient's condition and injuries or illness can be released.

Q. What about patients who are unconscious or otherwise unable to give advance consent for release of their information?
A. In situations where the opportunity to object to or restrict the use or disclosure of information cannot be provided because of an individual's incapacity, a covered entity may use or disclose protected health information if the use and disclosure is: (1) consistent with a prior expressed preference of the individual, if any, that is known to the covered entity; and (2) in the individual's best interest as determined by the covered entity, in the exercise of professional judgment. Both conditions (1) and (2) must apply for a provider to release patient information under HIPAA if the patient is incapacitated.

Q. Is there a HIPAA exemption for public figures or public officials?
A. No.

Q. Can a hospital prohibit reporters from taking photos or video under HIPAA?
A. The general rule applies that hospitals have no right to restrict photographers who are on public property from taking photos. There may be rules that prevent the taking of still pictures or video within a hospital, but photographers would not be liable under HIPAA for doing so.

Q. Can a hospital confirm that a patient has died?
A. If the patient is still within the facility, then it is arguable that death is a condition that may be disclosed as part of the directory information. If the deceased patient has been removed from the hospital, then the hospital must obtain a signed authorization from the patient's personal representative to release information about the patient's death.

Q. If protected health information contained in a public record is transferred to a covered entity, does it become confidential?
A. State public record laws remain in effect-the public record and the information in it remains public. You just won't be able to get it from the covered entity.

Q. Do restrictions on the release of patient information change if a disaster occurs?
A. Hospitals or other covered entities, pursuant to the HIPAA privacy standards, may disclose protected health information to a public or private entity authorized by law or its charter to assist in disaster relief efforts. Protected health information also may be released to these types of organizations for the purpose of coordinating with such entities in contacting a family member, personal representative or person directly responsible for a patient's care.

Q. How does HIPAA apply to minor children?
A. Minor children may have information released with the consent of a parent or legal guardian, in accordance with the guidelines listed above. Minors who are authorized to consent to specific medical procedures under state law retain control over the use and disclosure of protected health information.

Q. How are violations enforced?
A. Violations will be enforced on a complaint basis by the U.S. Department of Health and Human Services' Office of Civil Rights.

Q. What are penalties for violations of HIPAA?
A. The government may impose civil and criminal penalties of as much as $50,000 and/or imprisonment for as long as one year. If the offense is one of disclosure under false pretenses, the fine is a maximum of $100,000 and/or imprisonment for as long as five years. If the offense is committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm, the fine is a maximum of $250,000 and/or imprisonment for as long as 10 years. These penalties apply to those entities covered by HIPAA, not to journalists.

Q. Are there other restrictions on the release of patient information, in addition to those imposed by HIPAA?
A. In addition to the limitations on release of protected health information imposed by the HIPAA privacy standards, state and federal law also may impose specific limitations. For example, some states prohibit the release of information concerning HIV/AIDS status, family planning, or drug or alcohol treatment.

Q. What has RTNDA done about HIPAA?
A. Many journalists were not aware of HIPAA until they began encountering obstacles in gathering information surrounding health care earlier this year. But RTNDA and other journalism organizations sensed the potential impact HIPAA could have on reporting well before the Department of Health and Human Services (HHS) published its final HIPAA rules. RTNDA submitted extensive comments regarding the proposed regulations, saying approval would stifle reporting on issues including crime, public health and the hospital industry, and asking for specific accommodations for reporting. On several occasions, RTNDA met with HHS staffers working on the revised rules to underscore how the rules as proposed would impede the public's right to know and should be revised significantly. While the final version of the privacy rule recognizes "the important role performed by newspapers and other media in reporting on public health issues and the health care system," no accommodations were made for the newsgathering process.

RTNDA, in cooperation with numerous journalism organizations, continues to meet with government officials to make the case that the fears cited prior to the rule's adoption about its significant impact on journalists were well-founded, and have been proven true. We collect examples from our members that demonstrate how the HIPAA privacy rule is crippling their ability to report on important issues for use in our lobbying efforts. RTNDA has asked HHS to publish official guidance to stem the tide of nondisclosures that are based on misreadings of HIPAA. RTNDA will continue to work to have the rules amended, and to support legislation that would offer specific protections to whistleblowers.

RTNDA continues to assist and educate its members about HIPAA, so that journalists can successfully combat those instances in which information is withheld because of a misunderstanding of the law's requirements or a fear of inadvertently violating the new restrictions. Journalists can report problems to RTNDA at 800.80.RTNDA.

Q. What can journalists do about HIPAA?
A. Work with your local law enforcement agencies, hospitals, medical associations, etc. to reach an informed understanding about what HIPAA actually requires, not what it is rumored to require. Challenge nondisclosures-don't accept blanket refusals to disclose information based on HIPAA. Ask, "Where in the law does it say you are prohibited from releasing that information?" Report about how HIPAA is limiting your ability to gather news and getting in the way of the public's right to know-cite public health and safety examples. Find alternate sources.