Legal Hotline: HIPAA Directory Information

Legal Hotline: HIPAA Directory Information

PNA Legal Hotline

Q: I asked a hospital about the status of a man being treated for COVID. The hospital refused and said HIPAA prevents the release of all patient information.  Does HIPAA prevent hospitals from releasing any and all information about patients? Does the Right to Know Law apply to private hospitals? Does HIPAA restrict our ability to publish medical information?

A:  While HIPAA prohibits unauthorized release of individually identifiable health records, it permits the release of “directory information” about patients identified by name in certain circumstances. The Right to Know Law does not generally apply to private hospitals, and HIPAA does not apply to the news media.

The HIPAA Privacy Rule and corresponding regulations allow health care facilities like hospitals to release directory information about patients. Directory information can be disclosed when:

  1. The requester asks for the person by name;
  2. The patient has not restricted directory information;
  3. The hospital has provided its privacy policy to the patient, orally or in writing; and
  4. The patient has not opted out of the directory.

Directory information includes:

  1. Patient name;
  2. Location in the facility;
  3. Health condition expressed in general terms that does not communicate specific medical information about the individual; and
  4. Religious affiliation (available to clergy only)

HIPAA does not define what constitutes a health condition, but in general, hospitals typically use one of five terms to describe patients’ health conditions.  They are: undetermined, good, fair, serious, and critical.  Hospitals can also tell requesters that a patient was treated and released or if the patient is deceased, but hospitals typically do not do so before next of kin has been notified.

As noted above, patients can choose to opt out of the hospital directory, and in those cases, the hospital cannot release directory information. Similarly, the Right to Know Law does not generally apply to private hospitals because they are not included in the statutory definition of an “agency” covered by the law.

It is also important to understand that HIPAA is limited in its application. HIPAA only applies to “covered entities” as that term is defined by the law. A “covered entity” includes (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, insurance providers, pharmacies, physicians, and other health care providers who electronically transmit claims transaction information to a health plan are covered entities. HIPAA does not apply to any person or organization that is not a “covered entity” and some examples include first responders like law enforcement, fire departments and most government agencies. It is also important to note that HIPAA does not cover all medical information; it only applies to “individually identifiable health information” which is health information that can be linked to a specific person and health information that could be reasonably believed to identify an individual. See 45 CFR 46.160.103). Medical information and statistics that are not linked to a specific individual are not protected by HIPAA. For example, de-identified or aggregated data on infection rates or hospitalizations are not protected by HIPAA. Finally, it is important to remember that HIPAA does not apply to news media organizations, journalists or individuals choosing to share their own medical records, nor does it limit the media’s ability to publish information.

To learn more about HIPAA, read PNA’s HIPAA Guide for the Newsroom, found in the PNA Newspaper Handbook.

As always, this is not intended to be, nor should it be construed as, legal advice.  Please contact your newspaper’s attorney or the Legal Hotline at (717) 703-3080 with questions.