HIPAA Guide for the Newsroom
What is HIPAA?
The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. The Act also requires “covered entities” to protect the privacy of individuals’ medical information, and imposes significant penalties on those entities that violate the law. Violators can be sentenced up to 10 years in prison and fined up to $250,000 in criminal penalties.
The U.S. Department of Health and Human Services has issued privacy regulations under HIPAA. These regulations will affect your ability to gather information that relates to a person’s medical condition, and will likely impact stories about accidents, disasters, or an individual’s health. The HIPAA privacy rule went into effect on April 14, 2003 and will significantly restrict what healthcare workers can tell you about a patient, unless the patient consents.
What are “covered entities”?
Covered entities include:
- EMTs/Ambulance services
- Health Plans – HMOs, insurers, Medicare and Medicaid
- Health care clearinghouses – billing services, etc.; and
- Other health care providers who elect to transmit claim information electronically.
Does HIPAA apply to the news media?
The law does not directly apply to the news media (unless a media employer acts as a health plan or healthcare provider – by offering onsite medical care, for example; or a reporter works for a publication that is covered – such as a hospital newsletter).
Are police and fire departments restricted by HIPAA regulations?
It is important to remember that police and fire departments are not covered by HIPAA. You should continue to use these resources to gather public information about accidents and other incidents. Ordinary witnesses to accidents and events are likewise not covered by HIPAA.
Can I contact a patient or his/her family directly?
You can also continue to seek an individual patient’s permission for an interview and may contact the patient’s family for more information. Obviously, each hospital has its own rules about patient access. You should be familiar with these rules when visiting the hospital. The American Hospital Association has recommended that all media personnel be “escorted” by hospital personnel while they are in the hospital.
What does HIPAA require covered entities to do?
Under the new rules, covered entities must:
- Provide all patients with their information policies;
- Refuse to respond to requests for any detailed medical information, unless the patient expressly consents; and
- Allow patients to opt out of patient directories entirely.
How will the new rules affect what information I can get from a hospital?
Among other things, the HIPAA privacy regulations prescribe the conditions under which hospitals may (and may not) release information about patients to the public--including the news media. Generally speaking, healthcare providers and other “covered entities” must get written authorization from an individual before disclosing health information.
In some instances, hospitals can still provide “Directory Information” about an individual patient without that patient’s express authorization.
Directory Information can be disclosed when:
- The reporter asks for the person by name;
- The patient has not restricted directory information;
- The patient has not opted out of directory.
What is “Directory Information”?
Directory Information includes a patient’s:
- Location in facility; and
- Condition in general terms that does not communicate specific medical information.
What about getting information when a patient is incapacitated?
The general rules are as follows:
- In order to inquire about the condition and/or location of a patient, you must know the individual’s name.
- If the patient has not requested (or is unable to request) that information be withheld, the hospital may, in many circumstances (but is not required to), release the patient’s one-word condition and location without prior authorization from the patient.
What if a patient has “opted out” of the Directory?
If the patient has requested that the hospital not release any information (including even that the patient is in that hospital), the hospital will not even confirm that the patient is in the hospital (and will obviously not disclose additional information).
What can I do to work with the hospitals in my area?
As hospitals adopt and enforce their own “patient privacy” policies, reporters may encounter additional obstacles in gathering and reporting on these issues. All reporters should contact any hospitals and ambulance services that they cover to obtain a copy of their privacy policies.
CAUTION: HIPAA “agreements” are being presented to news organizations.
Another important HIPAA issue involves “business associate agreements” between healthcare providers (or “covered entities”) and certain organizations that receive information from these entities. Under HIPAA, "covered entities" (such as hospitals) are required to have contractual agreements with organizations that receive patient information from these entities. They are intended to protect patients’ privacy, by obligating these third-party organizations to protect the privacy of this information.
The National Newspaper Association has informed us that the University of Wisconsin health system has asked numerous newspapers--and the Wisconsin Newspaper Association --to sign a “business associate agreement” under HIPAA. Signature is requested as a condition of receiving advertising. Presumably, the health system is simply sending the request to all vendors in its payables files.
Please view these with caution. There is no reason for a newspaper advertising department to receive protected patient information (unless the hospital is using patient information to advertise services, in which case there are numerous other legal questions on the hospital’s end). The agreement, however, will be binding upon an entire newspaper, not just upon the advertising department. Newspapers that are not otherwise directly affected by HIPAA may inadvertently bring themselves under obligation by signing these contracts.
Please contact the Pennsylvania Newspaper Association’s Legal Hotline at (717) 703-3080 or your own attorney if have any questions regarding this issue, or if you receive any similar “agreement” from a healthcare provider. Do not sign anything without getting legal advice.
Remember: Absent a contract to the contrary, Pennsylvania’s newspapers are not subject to HIPAA’s requirements; the burden of compliance rests on the healthcare personnel.
Where can I go for more information?
For more information on HIPAA and how it will affect the newsroom, feel free to contact the PNA’s legal hotline at (717) 703-3080. Additional information is also available at the U.S. Department of Health and Human Services, Office for Civil Rights http://www.hhs.gov/ocr/hipaa/.