Medical Privacy

More than nine years after the Driver's Privacy Protection Act was passed, privacy worries continue to close off information to the public and the press.

The Health Insurance Portability and Accountability Act, a privacy measure, recently delivered a blow to reporters who routinely contacted hospitals to get information about the status of patients. The act ultimately required the Department of Health and Human Services to write privacy rules.

The HIPAA rules were developed during the Clinton administration and went into effect in April 2001. The law gave providers until April 14, 2003, to fully comply with the regulations, so journalists are just now starting to see the impact of the law.

The rules were designed to protect the medical privacy of patients and to give them more control over their health information and how it is used. All health care providers and entities that work with patient billing records must comply with the law or face severe civil or even criminal penalties.

Journalists who routinely called hospitals to get the status of a patient may be unable to get such information in the future. Under HIPAA, hospitals may release only the name and a one-word status of the patient — but only if the patient has agreed to have his or her name released and then only if the reporter has the individual's full name.

"A troubled community is made more so when it cannot find or identify its victims or activate the support systems that neighbors, clergy and others might provide both the victims and their families," The Reporters Committee for Freedom of the Press wrote in comments to the U.S. Department of Health and Human Services before the final regulation was passed. "It is unthinkable that in such a situation, a hospital communicator would be subject to a $25,000 fine for providing general information about a victim."

Local agencies such as county health departments, coroners offices and emergency response agencies are not covered by HIPAA, yet many of those agencies are using it as a reason to deny journalists information.

When a reporter from The Roanoke (Va.) Times went to cover a house fire that injured two people in Spring 2003, the fire and emergency response department refused to give him the names of the victims or any basic descriptive information, such as age and gender. Dwayne Yancey, assistant managing editor at the Times, said the department claimed it must abide by HIPAA because it provided a medical service that is billed for electronically.

Other local agencies seem to be applying HIPAA beyond its original intent. Journalists around the country report that police and fire departments have cited HIPAA for not disclosing accident information.

When Erik Brooks of the Kenosha (Wis.) News asked a county health department if there were any local cases of monkeypox, a disease that was reported to have been found in humans in Wisconsin, the agency claimed — due to confidentiality reasons — it could neither confirm nor deny that any cases existed.

Before HIPAA took effect, reporters were able to find important stories that involved health records.

In 1996, Keith Epstein reported for The (Cleveland) Plain Dealer that researchers were performing pharmaceutical research on people who were uninformed about the full nature of the work.

In June 2000, "Dateline NBC" aired an investigation showing how State Farm Insurance used unqualified individuals to review medical claims, and supported lower recommended payments. Operations inside "the paper review" process were consistently slanted toward denying claims. The story gained attention from both the U.S. House of Representatives and the Senate, and prompted an investigation by the National Association of Insurance Commissioners.