Health Insurance Portability and Accountability Act (HIPAA)

Congress passed the Health Insurance Portability and Accountability Act in 1996, which required the Department of Health and Human Services to enact federal health privacy regulations known as the Standards for Privacy of Individually Identifiable Health Information. Many media organizations, including The Reporters Committee for Freedom of the Press, the Newspaper Association of America, the National Newspaper Association and the American Society of Newspaper Editors, objected that the proposed rule overly restricted access to information. Still, the law went into effect in 2003. Under the privacy rule, those who violate the law unintentionally can incur civil penalties of $100 per violation, up to a $25,000 annual maximum fine. For intentional violations and misuse of individually identifiable health information, criminal penalties can lead to a fine of up to $250,000 and imprisonment for up to 10 years. A safe harbor provision exists for inadvertent disclosures made by covered entities that exercise reasonable diligence in attempting to comply with the law.

Even with safeguards to protect institutions that make a good-faith disclosure decision, journalists say agencies withhold records that were never intended to be covered under HIPAA because they are unsure about the law — or use it as an excuse.

“Reporters understand the need not to have private health information released willy-nilly,” said Charles Ornstein, a Pulitzer Prize-winning reporter for ProPublica in New York and president of the Association of Health Care Journalists. “The biggest problem, from my estimation, is that HIPAA is misapplied by hospitals and healthcare institutions.”

Many hospitals, for example, refuse to release information even with the consent of the patient. When Ornstein was a reporter for the Los Angeles Times, he was assigned to cover the 2005 derailment of a train in Glendale, California, and wanted to talk with survivors in local hospitals. He found that the hospitals had a “radical difference” in willingness to help journalists. Some hospitals relied on HIPAA automatically, refusing even to let survivors know a reporter wanted to speak with them, while others arranged interviews and invited Ornstein and his photographer to approach the patients.

“HIPAA doesn’t say you can’t ask the patient [for an interview], but a hospital that doesn’t want to cooperate just uses HIPAA as a shield,” Ornstein said. “It goes beyond issues of patient privacy. Some hospitals just don’t want to be in the media and will go to unbelievable lengths to say we’re not allowed in, when in fact it’s not that easy.”

Exacerbating the problem are privacy breaches, including reports of nurses and doctors hacking into hospitals’ computers, illegally accessing their friends and family members’ records, and leaking celebrity patient medical records or financial information to tabloids. Farrah Fawcett’s medical records, for instance, were leaked to the National Enquirer in 2007 when she received her cancer diagnosis.

For that reason, hospitals are cracking down on both unintentional and intentional breaches, which makes sense to most journalists. “No reporter would argue with that,” Ornstein said. “It’s an issue of misusing HIPAA where no patient privacy applies.”

According to the Department of Health and Human Services, HIPAA allows the release of hospital directory information containing basic facts about current or recent patients treated by a hospital, unless the patient objects. This includes patients’ names, locations within the hospital, general conditions, including whether a patient has been treated and released or has died, religious affiliations and room telephone numbers. However, despite these guidelines, many hospitals claim information is protected by HIPAA when it is not.

One recent example of widespread HIPAA misapplication is the vast variation in how state and county health departments and government agencies provided information on the H1N1 flu and its related deaths. The Association of Health Care Journalists found that while HIPAA prevents the release of names of patients, when an H1N1-related death occurred, some hospitals were more forthcoming and released the age of the person who died and some underlying medical conditions, while others would go no further than to state a death had occurred.

“Across the country, there can be an attitude of ‘big brother knows best,’ and ‘we know what information the public should know and we’ll tell you what you need to know,’” said Ornstein. “Unfortunately this attitude is not arming the public with the information to decide what the risk is and how to protect themselves.”

Still, health institutions typically release hospital inspection reports, Ornstein said, even when the reports include information relating to a specific patient that can be easily identified. For example, when Dennis Quaid’s newborn twins were among three children who received an overdose of the blood-thinner Heparin, an investigation took place and the inspection report was released, even though the public could surmise that “Patient A” and “Patient B” were Quaid’s children, Ornstein said.