Q: Does HIPAA prevent hospitals from releasing all information about patients? Does HIPAA restrict our ability to publish medical information?

A:  While HIPAA prohibits unauthorized release of individually identifiable health records, it permits the release of “directory information” about patients identified by name in certain circumstances, and HIPAA does not apply to the news media.

The HIPAA Privacy Rule and corresponding regulations allow health care facilities like hospitals to release directory information about patients. Directory information can be disclosed when: 

1. The requester asks for the person by name.                          
2. The patient has not restricted directory information.       
3. The hospital has provided its privacy policy to the patient, orally or in writing. 
4. The patient has not opted out of the directory. 

Directory information includes:

1. Patient name.
2. Location in the facility.
3. Health condition expressed in general terms that do not communicate specific medical information about the individual. 
4. Religious affiliation (available to clergy only).

HIPAA does not define what constitutes a health condition, but in general, hospitals typically use one of five terms to describe patient health conditions. They are: undetermined, good, fair, serious and critical. Hospitals can also tell requesters that a patient was treated and released or if the patient is deceased, but hospitals typically do not do so before next of kin has been notified.  

As noted above, patients can choose to opt out of the hospital directory, and in those cases, the hospital cannot release directory information. 

It is also important to understand that HIPAA is limited in its application. HIPAA only applies to “covered entities” as that term is defined by the law. A “covered entity” includes (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, insurance providers, pharmacies, physicians, and other health care providers who electronically transmit claims transaction information to a health plan are covered entities. HIPAA does not apply to any person or organization that is not a “covered entity” and some examples include first responders like law enforcement, fire departments and many government agencies. 

It is also important to note that HIPAA does not cover all medical information; it only applies to “individually identifiable health information,” which is health information that can be linked to a specific person and health information that could be reasonably believed to identify an individual. See 45 CFR 46.160. Medical information and statistics that are not linked to a specific individual are not protected by HIPAA. For example, de-identified or aggregated data on infection rates, diagnoses or hospitalizations are not protected by HIPAA.

Finally, it is important to remember that HIPAA does not apply to news media organizations and journalists, nor does it limit the media’s ability to publish information. The law also does not apply to individuals choosing to share their own medical records or health information.

To learn more about HIPAA, read PNA’s HIPAA Guide for the Newsroom, found in the “PNA Newspaper Handbook.” 

As always, this is not intended to be, nor should it be construed as, legal advice.  Please contact your news organization’s attorney or the PNA Legal Hotline at (717) 703-3080 with questions.