The Health Insurance Portability and Accountability Act was enacted nearly 20 years ago to make reporters gnash their teeth. Not quite, presenters at Health Journalism 2015 in Santa Clara, Calif., told their audience.
HIPAA, as it was birthed into law in 1996, was intended to make it easier for people to keep their health insurance when they change jobs. The law set standards for the electronic exchange of patient information, including protecting the privacy of such records. The U.S. Department of Health and Human Services issued the Privacy Rule to implement that aspect of the law, and its Office of Civil Rights is in charge of enforcing it.
The Privacy Rule, which went into effect in April 2003, has made it more difficult for reporters to get information about individuals’ health care, such as the names and condition of accident victims. Hospital employees and reporters not well informed about the law make things even harder.
It is important to remember some key points about HIPAA and other patient privacy laws, presenters said:
- Hospitals are legally obligated to protect patient privacy, and can suffer consequences in failing to do so.
- States may have additional, stricter privacy laws, particularly for issues such as abortion, mental illness and HIV.
- An open and ongoing relationship with hospital public relations staff or privacy officers is key to getting whatever information can be disclosed.
- Showing respect for the patient should be every reporter’s goal.
HIPAA was not initially rolled out well, said Irene Wielawski, independent health care journalist and moderator for “HIPAA: The ins, the outs and how to navigate” at Health Journalism 2015.
Patient privacy rules don’t only affect journalists, she said, “it affects families.”
Wielawski speaks from personal experience. When her college-aged daughter found herself in a health crisis while living on campus in 2001, Wielawski found herself unable to get past school health providers’ answer of “HIPAA” to every question from a worried parent.
Hospitals, as a rule, train staff well in the law — then there’s an employee change and the newcomer isn’t versed in the law. “And the easiest thing to do when a journalist calls is to say, ‘No! HIPAA!'” she said.
Reporters new to health or crime beats also often don’t know what is protected and what’s not, Wielawski added.
It is important to note hospitals hold legal liability to protect patient information, pointed out Jan Emerson-Shea, vice president of external affairs for the California Hospital Association.
“The hospital, first and foremost, is legally bound to to protect patient information. The hospital [public relations] understands your issues, and they wish they could they could give you the information …I get calls from PR people, saying ‘The reporter is asking this and the hospital people are saying this.’ I encourage them to maintain relationships with the media, but first protect patient privacy,” Emerson-Shea said.
In California and elsewhere, hospital information officers are restricted by a number of factors, including limiting room number information. A room in the oncology unit, for example, indicates a health condition and that’s protected information. If a reporter has a patient’s name, the patient’s condition can generally be released. “And that is not a guarantee, she said.
The situation gets muddier when a patient, or his or her family, contacts the media directly about an unusual or sensational health situation. That may take the hospital out of the privacy loop for that person, but HIPAA must be observed for every other patient a reporter may see on the way to the patient who called, Emerson-Shea noted.
Cell phones, Google glasses, social-media postings and location check-ins add to the difficulty in ensuring HIPAA is followed. Such technology “was not even contemplated when HIPAA was written,” she said.
In an attempt to help the dialogue between reporters and hospitals, Emerson-Shea wrote “Guide To Release Of Patient Information to the Media” for her hospital association. “It’s a really good first step and many other hospital associations have published similar booklets,” she said.
Journalists can further help themselves by requesting a copy of a hospital’s release of information form to see what elements are included. Encouraging a patient who is a story source to go ahead and sign the form helps everyone’s cause, presenters told the group.
HIPAA is the most enforced of patient privacy laws, said Stephen K. Phillips, partner and chair of technology practice f=group and the health law firm of Hooper, Lundy & Bookman, Inc. in San Francisco.
That law, however is limited in scope, protecting only health and identifying information about an individual and is only applicable to covered entities, Phillips explained.
What are covered entities? Health plans, self-insured companies, health-care clearinghouses, collection companies, lawyers, hospital medical directors and health-care providers — all which transmit patient information electronically. That puts a “vast majority” of health providers under covered entities, he said.
As a rule, however, that leaves out police officers, doctors who accept cash-only payments, the patient and the reporter. When a reporter talks directly to a patient, or a patient’s family, privacy laws don’t apply, Phillips said.
Journalists are obligated to report public health issues, and misinformation about HIPAA on the part of health providers can be a road block in getting information out to a community, noted Kenny Goldberg, health reporter for KPBS, San Diego Public Radio.
“But I do think [public information officers] want to work with us … and can really help smooth things over.”
Sometimes journalists caught up in competitive zeal, shoot themselves in the foot, Goldberg pointed out, referring to an incident when a photographer was in the wrong.
A story about a father and son caught in a wildfire sent media crews to the hospital. The father had died and the boy was in the burn unit. Journalists were instructed to leave the kid alone, but one photographer ignored the dictate, went in and took pictures.
The hospital ended up blackballing Goldberg’s news organization as a result, he recalled.
Quoting a family member, Goldberg summed up over-aggressive reporters. “You can be bull or you can be a bear, but don’t be a pig.”
HIPAA enforcement at hospitals is often complaint driven. “As long as nobody gets pissed off, you’re not going to have a problem,” said independent heath journalist and author Andrew Holtz. “Be respectful, don’t make enemies at the hospital and you’re probably going to be OK.”
As well, be proactive in seeking sources by asking staff if there might be someone who wants to speak with a reporter about an issue, Holtz advised.
Journalists can best help themselves by being ethical, Wielawski summed up. “Remember, we are a profession with our own standards, our own ethos.”
Work referenced in session:
- “HIPAA, TB And Me,” Irene M. Wielawski, Health Affairs, Vol. 25, No. 4, July/August 2006
- “When a patient’s death is broadcast without permission,” Charles Ornstein, ProPublica, Jan 2, 2015
- “Guide To Release Of Patient Information,” California Hospital Association, November 2013