The HIPAA hush factor
From the Spring 2009 issue of The News Media & The Law, page 17.
Reporters hoping to learn the identities of people rushed to the hospital after car crashes have gotten used to the familiar refrain: HIPAA prevents emergency workers and health-care providers from releasing personal information.
The law — the Heath Insurance Portability and Accountability Act of 1996, cobbled together mostly by the Department of Health and Human Services — has since 2000 practically blocked all access to most information that could even arguably be related to an individual’s health information. It allows for penalties for a potential HIPAA violation by a health care provider.
Essentially, this means reporters can’t find out who was involved in that crash. But if that or other health-related information should come out, the penalties for its release were limited — until this spring when Congress tacked onto the mammoth economic stimulus bill a provision greatly expanding them.
The effect, according to transparency advocates who worry privacy protection has gone too far, is that the media and the public will have an even tougher time identifying patients when any argument could be made that information is health related.
“This bill hugely expands HIPAA,” said Tonda Rush, the president of American PressWorks, which represents the National Newspaper Association. “This expansion will put news sources on guard against new criminal and civil penalties that now can be enforced not only by HHS but by state attorneys general.”
The amendments to HIPAA now also fold in “business associates” of entities that were previously covered by the law. That means that anyone doing business with traditional health-care providers who have access to individually identifiable health information, such as hospitals and doctor’s offices, are under the law’s reach. Also, non-traditional entities that maintain health-related information, such as police and fire departments whose emergency response units already will typically withhold information citing HIPAA, are now directly covered as well. The biggest target of the changes seems to be pharmacies, but all business associates are covered.
One common complaint about the law among privacy proponents that spurred the changes was that it lacked the enforcement mechanisms necessary to make it effective. Rush expected those concerns would turn into legislation especially because database vendors, including Google with its Google Health, are now electronically storing people’s health data in accounts for them to privately access. That provides another avenue for wrongful release of health information, and privacy advocates wanted stricter penalties to safeguard against it.
As for the HIPAA amendments’ insertion in the completely unrelated stimulus bill in February, Rush said privacy legislation almost never makes its way into law without riding on a larger bill.
The HIPAA amendments include new civil penalties for violations where records were wrongly released, ranging from $100 for unknowing violations up to $50,000 for a violation due to willful neglect, all subject to the discretion of the HHS secretary. They also allow for state attorneys general to bring federal criminal lawsuits against covered entities as well as their employees or other individuals to prevent further wrongful releases and recover financial awards from $100 up to $25,000.
This fix “adds in 50 new enforcers,” Rush pointed out, since the attorneys general will now have authority alongside the federal government to enforce the law.
That authority and the increased penalties make it harder for “the average health-care provider to do their job,” said Jim Harper, a privacy advocate and the director of information policy studies for the Cato Institute. Harper touts the importance of medical privacy on his Web site Privacilla.org, though he says he does not think HIPAA or increased penalties are the best solutions to the issue.
“It’s not likely to change how often breaches happen; most are inadvertent,” he said. “The penalties are symbolic. I’m not sure patients are better off than they were before — now it’s harder and more expensive to be a health-care provider.”
Information covered by HIPAA has “varied uses” that policy makers and lawmakers hadn’t considered until they tried to devise ways to curb its release, Harper said. Reporting on incidents like those car accidents fell by the wayside when the information stopped coming out, he said, though he added that he doesn’t see it as “a horrible loss to society to not get this information.”
On the flip side, Rush pointed out the practical effects that occur when health-care providers are overly fearful of penalties: No name might be released without a person’s express consent, no matter the public interest.
“The elimination of much meaningful coverage of health and medical institutions, as well as information about the human aspects of disasters, pandemics and research, unfortunately, is a by-product of such sweeping privacy rules,” Rush said.
Having covered health-care institutions for more than 20 years, journalist Andrew Holtz is plenty familiar with the diminishing of this type of reporting due to HIPAA. Holtz is on the board of the Association of Health Care Journalists and independently writes on medical issues.
“It creates all sorts of unnecessary roadblocks to covering public health-care institutions. I understand the need to protect patient privacy; as a journalist, I have no interest in exposing personal medical information without express permission,” he said.
“But the problem is, in the name of protecting individual rights of patients, [lawmakers] have created bureaucracies, regulations and penalties that frighten administrators and block access,” Holtz said. “There’s an iron curtain around public health institutions — which are often publicly funded — and we’re standing outside and supposed to just trust in what they’re doing.”
Adding additional penalties and enforcement mechanisms to the law, Holtz said, only compounds fear on the part of health-care workers who might otherwise wish to let the public see how they do their jobs.
“It excludes the public from seeing how one of the most vital parts of the economy and public works. It’s not how we look at other public institutions — we’re supposed to be able to look and see if they’re working well or failing.”
The changes to the law also require heath care providers who experience a breach of security that leads to release of information to proactively notify anyone who was actually or potentially affected. When more than 500 people may have had their information compromised, media outlets would receive notice of the breach.