www.ire.org Search IRE  Member sign-in History How we started, Bylaws, The Arizona Project, Endowment Membership Benefits, How to Join, Find an Investigative Journalist, Listservs, Update Your Address Training Conferences, Seminars, Fellowships, Training Materials Resource Center 20,000-plus investigative stories, 2,000 Tipsheets, Reporting Guides, Beat Sources Broadcast Center Videostreamed clips, IRE feeds, IRE videos Database Library Government database collection, Data analysis Campaign Finance Information Center Campaign Finance Database, Stories FOI Center Columns, Awards, FOIA Database, Tipsheets The IRE Store Books, Audio tapes, Databases, Periodicals, IRE Logo Goods Job Center Hot jobs in journalism, latest fellowships and grants IRE Awards Latest contest, Past winners, How to enter Educators IRE Journalism Educators' Center IRE Board Elected members, Committees IRE Staff Staff members, Contacting us Privacy Policy

---

FOI Columns
Return to The FOI Center


July-August, 2002
Don’t wait! Fight proposed medical privacy rules now
By Charles Davis


It's often said journalism is largely a reactive business. It certainly is reactive when it comes to legislative efforts aimed squarely at the practice of the craft.

The routine is, by now, firmly established: Congress or some state legislature threatens a policy move with disastrous implications for the news business. We watch. The rule, or statute, or policy, draws ever closer. We watch.

Then, suddenly (after two years of imminent passage) journalists discover the loathsome rule, and journalism associations swing into action with indignant press releases (many of which I write) and letters to senators and presidents and departments.

Guess what? It's always too late. Policy having been made without us, we come off as whiny and critical of the status quo.

So here is a chance to break the cycle, to race out dead-even with a hot-button issue. I'm going to hand it to the membership of IRE, and all you need to do is get your editor or news director involved.

The issue? Medical privacy rules. Thanks to the pace of Washington, rules resulting from passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - rules that truly threaten everyday reporting on hospitals, doctors, managed care and other medical stories - don't hit the code books until 2003. (See rules at www.hhs.gov/ocr/hipaa or www.hipaadvisory.com)

The portion of the law that deals with medical privacy has an April 14, 2003 startup, while rules governing medical coding and financial transactions are to be implemented on Oct. 16, 2003. Last month, the White House asked interested parties to comment on proposed modifications to the rules. That means that frequent rule revisions by the U. S. Department of Health and Human Services are expected, making it possible for journalists to weigh in on the rules before they are official.

HIPAA's purpose is noble. Congress set out to improve the health care system by encouraging conversion to electronic patient records, while protecting the privacy rights of patients once their health records were converted to electronic form.

Like most privacy legislation, what began as a reasonable exercise in protecting intimate data becamea field day for secrecy on all fronts, reason be damned.

The current HIPAA rules require that hospitals, physicians, health plans and other covered entities maintain such a high level of privacy that speaking to a reporter about the health of a patient - even a public official or public figure - opens the possibility of civil penalties. There are criminal penalties as well for organizations and individuals, including a fine of up to $250,000 and imprisonment for up to 10 years for knowingly disclosing or obtaining protected health information.

The key phrase in HIPAA is "individually identifiable health information," which is currently defined as any health information that identifies or can be used to identify the individual. So what's "health information," you might ask? The rules say it is "any information, oral or recorded, relating to the health of an individual, the health care received, or payment for health care provided."

Before disclosing such information as treatment, payment and the entity's own operations, health-care providers will have to have the written consent of the patient. Deliver that message to the public relations staff of your average community hospital and the result is information lockdown.

For starters, there is a very real question as to whether hospitals may release run-of-the-mill directory information. Imagine how much worse the chaos of the terrorist attacks in New York, for example, had medical facilities been barred from disclosing the number of people who were injured and the seriousness of the injuries.

A dramatic example, but then think about the many contexts in which information about the medical condition of individuals becomes paramount:environmental or natural disasters, neighborhood crime, the medical condition of public officials, misconduct by healthcare providers, health epidemics or plagues, injuries caused by consumer products, and even births or deaths in a community.

Think back to the anthrax attacks of 2001, overlay the new HIPAA rules, and what happens? A 94-year-old woman dies in a small town and is buried. The cause of death is no one's business, is it?

Of course it is. Yet an exhaustive reading of the rules yields not a glimmer of recognition that there might be a reason to disclose patient information to someone other than a health care provider, insurance company or marketing company.

As a result, HIPAA will hinder the ability to uncover stories in ways impossible to predict. Its rule barring disclosures without written permission of a patient may prevent the press from keeping tabs not only on the medical conditions of our leaders, but more importantly, of misconduct in our nation's health-care facilities.

The medical records provisions of HIPAA are but the latest example of privacy for privacy's sake. They are an extension of the belief among some, and certainly not even most, privacy advocates that the constriction of any and all information about identifiable individuals is what privacy requires. This is a distortion of the law of privacy, which has always balanced the individual interest in privacy with the more communal public interest. In olden days, the public interest sometimes won those contests, where the collective damage to the public welfare posed by privacy interests was clear.

Here is another such moment. We, as members of the press and the public, receive important, non-intrusive, non-intimate, information every day about people caught up in earthquakes, shootings, environmental disasters and the like. Medical records tell us about poorly managed health care systems, the abuse of elderly in nursing homes, unethical research projects and abuse of children in foster care. They have told us about the overstated effects of highly touted drugs, and helped tell the story of the effects of drunken driving and illegal drug use.

They also let us read in the next day's newspaper that the family in the accident we drove past last night is OK.

The public interest in access to newsworthy medical information often outweighs the privacy interest in nondisclosure.

HHS Secretary Tommy Thompson in April proposed changes to the privacy regulations "to fix problems" with the previously published rule. HHS officials have demonstrated their willingness to discuss these issues with members of the news media.

Journalists have no excuse for waiting to react to these rules.

Charles Davis is executive director of the Freedom of Information Center, an associate professor at the Missouri School of Journalism and a member of IRE 's First Amendment task force.