Patient Privacy in the Time of Coronavirus: The Limits of HIPAA
Published May 19, 2020
Covid-19 has of course dominated the media for more than two months, with exhaustive coverage of the pandemic, the shutdown of much ordinary activities, the economic impact, and much more. But an aspect of the pandemic that has not received much first-hand reporting is the situation in some hospitals, particularly in major cities, that have been dealing with a deluge of patients as they also suffer a lack of doctors, nurses and other personnel; a shortage of protective equipment and medical supplies; and a crisis of funding.
To be clear, this is not happening in all hospitals, even in the areas that have been hardest hit by the pandemic. (In fact, the lack of apparent activity at some hospitals led to false claims that the pandemic is a hoax.)
Some of the major reasons that there has been little direct coverage of the problems in many hospitals during the pandemic are medical privacy laws, particularly the “Privacy Rule” adopted under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Overall, HIPPA primarily involves health insurance coverage, including requirements for coverage of pre-existing conditions, standardization of medical savings accounts, and changes to corporate tax provisions regarding employee health coverage.
But perhaps the most noticeable provision of the law are the privacy requirements, which require health care providers to ensure the confidentiality and security of patient medical information. Under this provision the federal Department of Health and Human Services has issued the “HIPAA privacy rule,” which bar health care providers from releasing individual patients’ medical information without the patient’s consent. One of the direct results of the rule is the privacy forms that new patients usually must sign allowing disclosure of their medical information for billing, insurance, and other purposes.
Another is that the media are generally banned from hospitals, including those overwhelmed by the pandemic. In fact, some hospitals that have allowed the media to show treatment of their patients (pre-coronavirus) have faced significant fines. Individual doctors have also been fined for disclosing individual patient information to the media.
So while there has been coverage of overstretched medical facilities during the Covid-19 crisis, it is primarily based on personal accounts of doctors and nurses, not first-hand observation. (This New York Times story and this Washington Post op-ed, for example; they are also posting on social media.)
But while HIPAA rules place strict limits on personnel and organizations that provide or facilitate medical care, such as hospitals, doctors, health insurance and health billing companies, and their “business associates,” these is an explicit exception for when “disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” An example of such a law that requires disclosure is federal and state freedom of information acts.
HIPAA restrictions also do not apply to the following:
- a covered entity’s release of “directory information” about a patient, that is, the fact that the patient is at a facility and his/her general medical condition, as long as the patient does not object;
- a covered entity’s release, including to the press, of information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death;
- release of information that is required to be released under state freedom of information laws;
- when releasing information “is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public” and the disclosure is to “a person or persons reasonably able to prevent or lessen the threat;” and
- when the patient or his/her authorized proxy agrees to releasing the information.
Also, HIPPA does not apply to people or groups that do not provide direct medical services. Thus government agencies, including local and state health departments, should not use HIPPA as an excuse to not release general, non-individual health information and statistics, including the number of positive tests for the virus in an area, the infection rate, and the number of fatalities. So, for example, a city health department could not use HIPPA as justification for refusing to release lead-contamination notices.
And doctors and nurses should be able to talk about general conditions in the facilities where they work without violating HIPAA. (Unfortunately, this has not stopped some facilities from threatening to fire those who have spoken to the media, despite the inapplicability of HIPPA and rulings from the National Labor Relations Board that employers cannot ban non-supervisory employees from speaking to the media about working conditions.
It’s also important to note that the HIPAA rules also don’t apply to the media. So if a reporter finds out details about someone’s medical condition—even the disclosure itself violates HIPPA—the reporter is legally free to report it. (Of course, ethical considerations may also come into play.)
Far too often, but especially in a crisis, HIPAA may be invoked to stonewall all attempts to get medical information, But by knowing what information and which individuals and entities are covered by the law—and which are not—reporters can continue their work to inform the public about health issues and concerns in their communities, which is especially important during our current situation.
Eric P. Robinson is an assistant professor at the USC School of Journalism and Mass Communication and is Of Counsel to Fenno Law in Charleston/Mount Pleasant, although any opinions are his own. He has worked in media law for more than 18 years, and is admitted to legal practice in New York and New Jersey and before the U.S. Supreme Court. This column is for educational purposes only; it does not constitute legal advice.