Tip Sheets

Understanding HIPAA: A brief overview

HIPAA is the Health Insurance Portability and Accountability Act of 1996, a law intended to make it easier for people to keep their health insurance when they change jobs. The law set standards for the electronic exchange of patient information, including protecting the privacy of such records. The U.S. Department of Health and Human Services issued the Privacy Rule to implement that aspect of the law, and its Office of Civil Rights is in charge of enforcing it.

Since the Privacy Rule went into effect in April 2003, it has become more difficult for reporters to get information about individuals' health care. For example, hospitals will no longer give out the names and conditions of accident victims unless the reporters know each victim's name, and then only general information will be provided. But other HIPAA obstacles are unnecessary. Fearful of HIPAA's civil and criminal penalties, some health care providers have overreacted, while others may simply use HIPAA as an excuse not to cooperate with reporters.

Reporters can work more effectively if they understand what HIPAA does and does not do. Essentially, HIPAA requires "covered entities" to keep private "protected health information."

Covered entities are health plans (including health insurance companies and employer sponsored health plans), health care clearinghouses, and health care providers that engage in defined electronic standard transactions, which generally relate to insurance reimbursement. Examples include hospitals, ambulances/EMTs, private physicians and social workers. The Office of Civil Rights Web site (http://www.hhs.gov/ocr/hipaa) provides detailed guidance on who is covered by the law.

The following are NOT covered entities: reporters and editors, police and fire departments (except EMTs), patients and their relatives, clubs and associations (which are not health care providers), and religious organizations (except to the extent they provide health care services).

Protected Health Information is individually identifiable health information created, received, transmitted and/or maintained by a covered entity. This includes information relating directly or indirectly to the person's past, present or future physical or mental health, the provision of care to the person, and the person's health care bills and payments. This information includes individuals' demographic information.

A covered entity does not have to keep health information confidential when:

  • the information does not reveal the identity of an individual (but 18 defined identifiers must be removed for the information to be properly de-identified)
  • the individual authorizes the release of information through a written, HIPAA-compliant authorization.

Also, there are a number of public policy exceptions under the Privacy Rule that permit the disclosure of protected health information without an individual's authorization. For example, covered entities may disclose information for treatment purposes, for certain law enforcement or public health oversight purposes, or in accordance with a court order. (This list is not exhaustive.)

Additionally, the following are NOT protected health information: police and fire incident reports, and court records. Also, birth records and autopsy records are not protected health information to the extent they are maintained by state agencies. In addition, if a state FOIA law designates death records and/or autopsy reports as public information that must be disclosed, covered entities may disclose that protected health information without an authorization.

Hospitals may maintain directories of patients, although patients can ask to be kept out of the directory and health care professionals use their professional judgment with regard to what directory information (if any) to include about incapacitated individuals. When someone calls and asks about a patient by name whose information is in the directory, the hospital may reveal where the patient is located in the hospital and information about the patient's general condition (including whether the patient has died, or whether the patient has been treated and released).

To release additional information to a reporter, a hospital must obtain written authorization from the patient (or the patient's parent or guardian in the case of minors). That document does not have to be notarized or witnessed. The American Hospital Association's Web site (http://www.aha.org) provides a checklist of what should be included in an authorization form, along with other guidance on HIPAA.


Question: A patient called me and asked me to interview him about his experience in the hospital. After I did the interview, the hospital accused me of violating HIPAA because I did not obtain written authorization. Was I wrong?

Answer: No. Reporters are not "covered entities" under HIPAA and therefore cannot violate HIPAA (unless they obtain health information under false pretenses). Reporters do not need written authorization from the patients they interview. The hospital would need such authorization if it had a role in connecting you with the patient. In this case, no "covered entity" was involved in the release of health information. The interview was between you and the patient, and has nothing to do with HIPAA.

However, if you interviewed the patient while he was still in the hospital, you may have violated hospital policy. Most hospitals require that reporters and photographers be accompanied by a hospital representative when in patient areas.

Question: I interviewed a doctor about a health condition, and then asked him to help me find patients who suffer from the condition. He refused, saying that would violate HIPAA. Would it?

Answer: HIPAA prohibits the doctor from revealing the names of his patients, discussing individual patients' care, or showing you medical records without the patient's written authorization. But nothing prevents the doctor from seeking such authorization. Additionally, the doctor does not need written permission to ask a patient to call you, provided he doesn't reveal to you the names of the people he may ask. He can ask patients if they're interested in being interviewed, and then leave it to them to decide whether they want to reveal themselves to you. If the patient agrees to the interview, but you also want to talk with the doctor about that specific patient's care, the patient would need to give the doctor written permission.

Question: I called the hospital to check on the condition of a celebrity patient. The hospital refused to give out any information, citing HIPAA.

Answer: The same rules apply to celebrities as to everyone else. If the patient specifically asks to be excluded from the hospital directory or the hospital, in its professional judgment, determines to exclude an incapacitated patient from the directory, then the hospital would not be able to tell you anything. Otherwise, if you ask about the patient by name, the hospital can tell you where he or she is located in the hospital, and his or her general condition.

Question: A hospital said that HIPAA prohibits me from ever observing surgery. Is that true?

Answer: No. You can observe surgery provided the hospital - not you, the hospital - obtains written authorization from the patient in advance. But nothing requires the hospital to let you in the operating room.

In this case, HIPAA could be a smokescreen for the hospital's desire to avoid coverage. It would be worth finding out what their genuine concerns are. Hospitals do have an interest in maintaining good relations with the media and in showcasing their work, so you have some leverage with them.

Question: After a major bus accident, I called the hospital where the injured were taken to find out the condition of the patients. The hospital wouldn't give out any information, saying HIPAA prohibited it. Is that true?

Answer: The hospital cannot give out the names of the people it is treating, and it cannot tell you the conditions of patients whose names you don't know. If you ask about specific individuals by name, the hospital can tell you their general condition (unless they specifically asked that no information be revealed or they are incapacitated and the hospital has used its professional judgment to exclude them from the directory). The hospital can, however, give out general information that doesn't identify individuals, and hospitals often will do so to inform the public during a disaster. For example the hospital may be able to tell you that five injured people were in the emergency room and two had been admitted (unless disclosing that information could lead to the identification of those individuals). But it could not post a list of the injured.

Question: A state Medicaid office refused to provide financial and demographic data about people who had applied to Medicaid, saying HIPAA contains specific language about Medicaid. Is that true? Are there different rules for Medicaid? This is not individually identifiable information, so why should it be protected under HIPAA?

Answer: No set of special rules apply to Medicaid. Medicaid falls within HIPAA's definition of "health plan," and therefore it is covered by HIPAA and subject to the Privacy Rule. Therefore, Medicaid can only disclose protected health information, which may include individually identifiable demographic information, in accordance with HIPAA. But, HIPAA does not prohibit covered entities, including Medicaid, from disclosing aggregate and de-identified demographic and financial data. There may be other privacy rules related to Medicaid that would limit such disclosures.

Question: Does HIPAA bar reporters from interviewing patients in a waiting room?

Answer: No. Because neither the reporters nor the patients are covered entities, they may speak in any location without violating HIPAA. However, the covered entity (hospital, doctor's office, clinic or other facility) might limit or disallow such interviews.