www.ire.org Search IRE  Member sign-in History How we started, Bylaws, The Arizona Project, Endowment Membership Benefits, How to Join, Find an Investigative Journalist, Listservs, Update Your Address Training Conferences, Seminars, Fellowships, Training Materials Resource Center 20,000-plus investigative stories, 2,000 Tipsheets, Reporting Guides, Beat Sources Broadcast Center Videostreamed clips, IRE feeds, IRE videos Database Library Government database collection, Data analysis Campaign Finance Information Center Campaign Finance Database, Stories FOI Center Columns, Awards, FOIA Database, Tipsheets The IRE Store Books, Audio tapes, Databases, Periodicals, IRE Logo Goods Job Center Hot jobs in journalism, latest fellowships and grants IRE Awards Latest contest, Past winners, How to enter Educators IRE Journalism Educators' Center IRE Board Elected members, Committees IRE Staff Staff members, Contacting us Privacy Policy

---

FOI Columns
Return to The FOI Center


July-August 2003

HIPAA starting to deny basic information to public
by Jennifer LaFleur

When reporters from The Roanoke Times went to cover a house fire that injured two people, they could not get the names of the victims. They could not even get basic descriptive information such as age and gender. When Erik Brooks of the Kenosha News asked the county health department whether there were any local cases of monkeypox, a disease that was reported to have been found in humans in Wisconsin, the agency claimed that for confidentiality reasons, they could neither confirm nor deny that any cases existed.

Journalists who once called hospitals to get the status of a patient are now unable to get such information because of a new law, which limits access to patient information.

The Health Insurance Portability and Accountability Act, known as HIPAA, was developed during the Clinton administration and went into effect in April 2001.The law gave providers until April 14, 2003, to fully comply with the regulations, so journalists are just now starting to see the impact of the law.

The rules were designed to protect the medical privacy of patients and to give them more control over their health information and how it is used. All health care providers and entities that work with patient billing records must comply with the law or face steep civil or even criminal penalties.

Journalists who have regularly called hospitals to get the status of patients may be unable to get such information in the future. Under HIPAA, hospitals may release only the name and a one-word status of the patient and only if the patient has "opted" to have his or her name released and then only if the reporter has the individual's full name.

"A troubled community is made more so when it cannot find or identify its victims or activate the support systems that neighbors, clergy and others might provide both the victims and their families," The Reporters Committee for Freedom of the Press wrote in comments to the U.S. Department of Health &Human Services before the final regulation was passed. "It is unthinkable that in such a situation, a hospital communicator would be subject to a $25,000 fine for providing general information about a victim."

Local agencies such as county health departments, coroners' offices and emergency response agencies are not covered by HIPAA.

In Roanoke, however, the fire and emergency medical response department claimed that because they provide a medical service and bill electronically for that service, they are required to abide by HIPAA, said Dwayne Yancey, Roanoke Times assistant managing editor.

But other local agencies seem to be applying HIPAA beyond its original intent. Journalists around the country report that police and fire departments have cited HIPAA for not disclosing accident information.

The Minimum Necessary Standard (from federal guidelines) The minimum necessary standard, a key protection of the HIPAA Privacy Rule, requires healthcare entities to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule 's requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity. The minimum necessary standard does not apply to the following: Disclosures to or requests by a health care provider for treatment purposes. Disclosures to the individual who is the subject of the information. Uses or disclosures made pursuant to an individual 's authorization. Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA)Administrative Simplification Rules. Disclosures to the Department of Health and Human Services (HHS)when disclosure of information is required under the Privacy Rule for enforcement purposes. Uses or disclosures that are required by other law.

In the case of monkeypox in Wisconsin, Brooks said that being able to tell readers whether there were any local cases was key to the story.

"We 're short-changing our readers," Brooks said. "We can't tell the whole story."

Brooks said the county health department gave him a similar nonresponse when he asked if there were any local SARS cases.

"We're concerned about how the rules are being interpreted," said Andrew Holtz, a health care reporter in Portland and president of the Association of Health Care Journalists. "There's at least an appearance that some of the interpretations are being used to protect institutions rather than individual patients. Hospitals and doctors and clinics are mostly concerned about their potential liability and are trying to deny information to shield themselves, going far beyond what would be necessary to protect the privacy of patients."

Journalists may need to be more creative in their newsgathering. In the case of the Roanoke fire, reporters were able to get information from neighbors. Brooks was able to get monkeypox information by contacting local veterinarians.

The best thing journalists can do is educate themselves about this new law so they know when something truly may be withheld under the law or when an agency is just crying HIPAA as an excuse to not release information.

The Department of Health and Human Services Office of Civil Rights has an online guide to HIPAA at www.hhs.gov/ocr/hipaa.

Last summer, the Reporters Committee for Freedom of the Press produced a guide to help journalists understand the new medical privacy regulation. The guide is online at www.rcfp.org/pullouts/medicalprivacy. For the Reporters Committee comments on the law, go to: www.rcfp.org/news/documents/medprivacy.html.

Jennifer LaFleur is the McCormick Tribune Foundation journalism fellow at the Reporters Committee for Freedom of the Press. She is chair of IRE 's First Amendment Task Force and a former training director for IRE.