|News Media Update||KENTUCKY||Freedom of Information|
HIPAA privacy rules do not apply to Kentucky police reports
- The Attorney General of Kentucy ruled that the federal Health Insurance Portability and Accountability Act’s privacy rule does not apply to police department records requested under the state Open Records Act.
Aug. 27, 2004 — The Attorney General of Kentucky ruled Tuesday that the federal Health Insurance Portability and Accountability Act’s (HIPAA) privacy rule may not be used to withhold information in police department records requested under the state Open Records Act. The attorney general also ruled that victims and witnesses’ identities were improperly withheld under the Open Records Act’s exemptions, but that their addresses and birth dates could be withheld.
Congress enacted HIPAA to improve health care by creating a national health information system and establishing standards for the electronic transmission of health information. To that end, HIPAA directed the Department of Health and Human Services to create national privacy regulations for patient information. The HIPAA privacy rule, which went into effect in February 2003, prevents medical care providers, insurance companies and other “covered entities” from releasing anything greater than a one- or two-word statement about an individual’s condition, unless the individual waives his or her privacy interests.
On April 20, 2004, Jim Hannah, a reporter for The (Ft. Mitchell) Kentucky Enquirer , filed a written request with the Covington Police Department for an accident report detailing a fatal garbage truck accident. Lt. Col. Michael Kraft provided the report, but redacted the names, addresses and birth dates of the driver and three “involved persons,” including the person who was killed. Kraft gave no explanation for the redactions.
On May 11, Hannah filed a written request with the department for an incident report detailing a May 6 shooting and a May 1 auto accident report. Kraft again provided the reports, but redacted the name, address, date of birth, social security number, race and gender of all people identified in the records, as well as vehicle ID and registration numbers. Again, Kraft provided no explanation for the redactions.
When the paper appealed the redactions to the attorney general’s office, the city responded that HIPAA prevented city police and fire personnel from releasing any information that would identify a person who had been treated by city emergency medical personnel.
On Aug. 24, Attorney General Gregory D. Stumbo ruled that HIPAA did not apply to police department records.
Relying on a Feb. 2004 opinion of Texas Attorney General, Stumbo found that “because the Covington Police Department is not a ‘covered entity,’ for purposes of HIPAA analysis, records generated by police officers do not contain ‘protected health information,’ and such records are therefore not covered by HIPAA’s Privacy Rule.”
The privacy rule defines “covered entity” as a health plan, a health clearinghouse, or a health care provider who transmits any health information in electronic form.
Stumbo also found that the privacy interest recognized by the Open Records Act was insufficient to justify withholding the identities of the people mentioned in the reports because it was outweighed by the public interest in monitoring the activities of the police department. He found that the privacy interest was sufficient, however, to justify withholding their addresses and dates of birth.
The opinion also states that the Open Records Act requires that a specific exemption must be cited when a record is withheld, along with an explanation of how the exemption applies to the withheld record.
(In re: The Kentucky Enquirer/Covington Police Dept., Kentucky Attorney General Open Records Decision 04-ORD-143, August 24, 2004; Media Counsel: Paul Alley, Graydon, Head & Ritchy, LLP, Ft. Mitchell, Ky.) — GP
© 2004 The Reporters Committee for Freedom of the Press