One year later, the media’s dire predictions about HIPAA’s Privacy Rules have come true
From the Summer 2004 issue of The News Media & The Law, page 18.
By Grant Penrod
“If we don’t take steps forward to protect privacy in the information age, our most personal information will be available to every employer, every health insurance company, and every high-tech Peeping Tom in America,” said Sen. Ted Kennedy (D-Mass.), in a statement released April 16, 2002. “This is not only unfair to patients, it is bad for their health.”
As many media groups predicted, the Health Insurance Portability and Accountability Act’s Privacy Rule has been equally as bad for journalists. In the more than a year since the Privacy Rule went into effect, as much information has reportedly been withheld due to incorrect over-application of the act — out of fear of sanctions or confusion over the complex rules — as has information that was properly protected.
On Jan. 29, The Express-Times in Easton, Pa., reported that HIPAA, as the act is commonly known, was cited by a county attorney for refusing to turn over a coroner’s records to the public — even though the Pennsylvania Coroner’s Act requires the records to be available for public inspection.
In a May 30 story in the Tulsa World in Oklahoma, the newspaper reported that HIPAA had been cited by public bodies in the state as a reason not to turn over autopsy reports. Although the reports are public records, the state Department of Corrections redacted information in reports about the cause of death of prison inmates. According to the story, the department wrongly declared it was a “covered entity,” citing HIPAA as the reason for the redaction.
Ironically, privacy regulations were never a motivating factor in the creation of HIPAA in 1996. The bill was intended to make it easier for individuals to change jobs and health insurance plans without losing coverage, to simplify health insurance administration, and to combat waste, fraud and abuse in the health insurance industry. The creation of new health privacy standards was never mentioned in the original bill.
However, during the final conferences to resolve differences between House and Senate versions of the legislation, a privacy provision was added over concerns that individuals’ medical information could be stolen or disclosed when transferred between insurance companies and care providers. The provision directed Congress to create privacy protections by August 1999. If Congress failed to do so, it fell upon the Department of Health and Human Services to create the regulations.
Although Congress attempted to pass a number of proposals, none made it out of committee. In November 1999, the Department of Health and Human Services submitted its proposed rules — which went far beyond protecting electronically transmitted health information from accidental dissemination or theft, as originally conceived — for public comment.
The privacy regulations prevent “covered entities” — any person or organization that bills electronically for health care, including hospitals, doctors and insurance companies — from disclosing “individually identifiable health information” without the patient’s express consent. Individually identifiable health information includes: a photo, a name, a geographic area smaller than a state, dates more specific than a year, e-mail addresses, telephone numbers, social security numbers and various other info rmation. And the regulations apply to this information in any form, not just electronic data, with which the act was originally concerned.
According to Alan Goldberg, a Washington, D.C., attorney who advises health care providers on privacy and security matters, the act’s privacy regulations even prevent a covered entity from disclosing already public information.
The Standards for Privacy of Individually Identifiable Health Information, commonly called the “Privacy Rule,” permits the release of so-called “deidentified” information without the patient’s consent, but only when all of the identifying information has been removed. In addition, when a requestor — such as a reporter, for example — has a patient’s name and the patient has not specifically objected, a covered entity can release a general statement of condition, such as “good,” “fair,” “stable” or “critical.”
HIPAA does not apply to police, clergy, family members or witnesses to an accident because they are not “covered entities.” Fire, rescue and ambulance workers may or may not be subject to the regulations, depending upon whether they bill electronically for any health services they provide.
Violations of the Privacy Rule carry stiff penalties: civil penalties of $100 per violation, up to a $25,000 annual maximum, for inadvertent disclosures. However, there is a safe harbor for inadvertent disclosures made by a covered entity that has exercised reasonable diligence in attempting to comply. For intentional violations, there are criminal penalties of $250,000 and up to 10 years in prison. The criminal sanctions may even be extended to non-covered entities, possibly even journalists, when they have intentionally solicited a violation by a covered entity.
Except for this possible sanction, HIPAA cannot be used to punish journalists for publishing information they receive. Journalists are not covered entities, and First Amendment protections make it very difficult to punish journalists for publishing information unless they knowingly broke the law to get it.
Nonetheless, numerous media organizations — including The Reporters Committee for Freedom of the Press — were largely critical of the rules.
“Even though journalists are not covered entities, the massive civil penalties and felony prosecutions to be visited on their sources of information would exert a chilling effect on the disclosure of matters of public interest, regardless of whether those matters are clearly covered by the rules,” the Newspaper Association of America, the National Newspaper Association and the American Society of Newspaper Editors wrote in their April 30, 2002, comments.
“Certainly, an individual has a right to guard his or her own medical records from abusive releases,” they continued. “But when matters of public concern demand the telling of the individual’s story to expose a wrongdoing, to inform a community of a disaster or to hold the medical system accountable, some use of individual information is necessary and justified — and protected by the Constitution.”
The media organizations’ comments were buried within the more than 60,000 received by the Department of Health and Human Services. In the 330 pages in the Federal Register devoted to addressing public comments on the HIPAA privacy regulations, there was not a single mention of journalists’ concerns about how the new rules would hinder reporting.
The Privacy Rule went into effect largely as proposed on April 14, 2003.
Privacy v. Open Government
One way HIPAA has become an obstacle to newsgathering is through interference with open government laws. A provision of the Privacy Rule preempts contrary state laws unless they impose requirements that are more stringent than HIPAA.
An exception to the preemption rule exists when the Secretary of Health and Human Services determines that “necessity” exists. The exception applies when the contrary state law is necessary to prevent fraud and abuse, ensure appropriate regulation of insurance, for state reporting purposes, or when it serves a “compelling need related to public health, safety or welfare,” according to the rule. HIPAA sets out procedures for a state to seek a determination of necessity from the secretary, but it doesn’t set out any timetable for the determination.
In certain instances, however, the disclosure requirements of state open records laws may provide a way to counter the harms of the Privacy Rule.
On Feb. 13, Texas Attorney General Greg Abbott ruled that the HIPAA Privacy Rule does not prevent disclosure of information required to be public under the state Public Information Act. Because a provision of the Privacy Rule allows disclosure when “required by law,” Abbott ruled that “governmental bodies in Texas must shift their focus from the Privacy Rule to the PIA when responding to a PIA request for protected health information.” When an open records request is made under the Public Information Act, Abbott ruled that HIPAA’s preemption rules do not apply.
When a request is made under anything other than the Public Information Act, however, the Privacy Rule should be applied normally to a governmental body that is a covered entity, Abbott said. He also pointed out that individual health information is still protected by other state laws that create exemptions to the Public Information Act.
According to Ross Cirrincione, director of the Freedom of Information and Privacy Acts Division of the U.S. Department of Health and Human Services, HIPAA regulations have had little impact on federal FOI Act requests. Individually identifiable health information is already protected by FOI Act exemption 6 — personnel and medical files — and the Privacy Act, he said.
It is possible, however, that HIPAA could prevent release of some information not protected by those exemptions. Exemption 6 requires a “clearly unwarranted invasion of personal privacy,” while the Privacy Act contains an exception for information required to be released under the FOI Act. HIPAA has no such limitations, and therefore might prevent the release of information that does not otherwise fall within an exemption.
Similarly, in a Dec. 18, 2003, opinion, Maryland Attorney General J. Joseph Curran Jr. wrote that while existing Maryland law is largely more stringent than the HIPAA Privacy Rule, “significant questions regarding federal preemption are likely to arise.”
A Stick with no Carrot
HIPAA’s effect on journalists’ ability to gather news directly from sources has been much more grave than its effect on open government laws. The privacy rules are draconian, complex and carry heavy penalties. And unlike open records laws, there is no corresponding statute requiring the dissemination of information.
The result has been a massive overreaction when it comes to talking to reporters about private health information.
“A lot of our crime stories, our fire stories, our wreck stories, are missing a piece of information the public relies on,” said Chris Fletcher, editor of The Daily Herald in Columbia, Tenn. “Especially a community paper of our size. People want to know how their neighbor is doing.”
According to Fletcher, all hospitals in the Columbia area began giving less information to the press as soon as the regulations went into effect, while the hospital at Vanderbilt University stopped releasing information entirely.
Gary Stephenson, spokesperson for Johns Hopkins Medical Center in Maryland, said “HIPAA heightens up policies we’ve had in place for a decade,” but is “much more strict.”
Stephenson said Johns Hopkins used to give out patient condition reports, but now can’t without patient authorization.
“Most people have been willing to sign the release form,” he said. When patients don’t sign the release, “We basically tell reporters that we can neither confirm nor deny their presence at Hopkins.”
Will Morris, a former reporter at the Daily Herald who now writes for the Daily News-Record in Harrisonburg, Va., said police, emergency responders and 911 operators have often refused to talk to reporters out of a blind fear that HIPAA may apply to them. “As soon as April rolled around and the rules went into effect, you couldn’t get squat out of them,” Morris said. “Some of them will cite HIPAA not even knowing what it means, just to get out of giving information.”
A number of state and national newspaper associations are compiling instances in which information was withheld from journalists under HIPAA, often by people not covered under the act. Some examples, as reported by the Newspaper Association of America, include:
- The Beaver County Times and Allegheny Times in Pennsylvania reported that a local hospital cited HIPAA when it refused to share information about a local Hepatitis outbreak.
- Fire officials in Grand View, Mo., cited HIPAA in refusing to say whether victims of a nursing home fire were hospitalized for burns or smoke inhalation, according to The Kansas City Star.
- Because of HIPAA, county health officials refused to release the name of a woman who died of suspected meningitis, a highly contagious and fast-acting disease, The Daily News in Longview, Wash., reported.
- According to WTKR-TV in Virginia, because of HIPAA, hospital and rescue services in Virginia Beach refused to identify a man shot by police. Police later determined that the person was not a criminal suspect, and because he was never charged they also refused to identify him.
- The Associated Press was unable to get a copy of a missing persons report filed for a man arrested as a sniper suspect in Columbus, Ohio. HIPAA was cited because the report referred to his mental health.
The news media’s dire predictions about the effect of the HIPAA Privacy Rule on newsgathering have largely come true. And because apprehension and misapplication of HIPAA have led to the improper withholding of health information under the act, it has become essential that people who control access to such information be educated as to what is and what is not protected.
As the Society of Professional Journalists, the Association of Health Care Journalists, the Radio-Television News Directors Association and The Reporters Committee for Freedom of the Press said in their April 2002 comments to the Department of Health and Human Services, “The Privacy Rules unduly favor individual privacy at the expense of the routine information flow that is the hallmark of an open society.
“The public should be privy to certain essential information to secure its health and safety and to enable it to oversee the conduct of its government and the performance of its health care system.”