HIPAA Privacy Regulations:
Frequenly Asked Questions
*** (Note: This information is from the national perspective. Health care facilities must comply with state privacy laws that may impose additional requirements.)
Question: What is HIPAA?
HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA includes regulations that govern the use and release of a patient's personal health information. More relevant to the news media, HIPAA also limits the kind of information hospitals can disclose regarding patients. Besides privacy standards, HIPAA creates new standards for administrative transactions and the security of individual health information.
Question: How did the rule get to this point?
Privacy provisions under federal law were established in 1996 with the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Services (HHS) published regulations, "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA on December 28, 2000. These regulations became effective on April 14, 2001, and April 14, 2003 is the date on which hospitals must be in compliance with the new HIPAA privacy rule. The rule governs the use and disclosure of individually identifiable health information. Among its provisions are standards for releasing medical information about patients to the media and clergy.
Question: Why should the media care about HIPAA?
HIPAA's privacy standards have changed and limit hospitals’ ability to release information about patients that the media will have access to. This may represent a significant change over previous practice.
Question: Who is considered a “covered entity” and subject to fines and penalties under HIPAA?
All health care providers, including hospitals, physicians and emergency medical or ambulance personnel that transmit protected health information in electronic form in connection with certain administrative and financial transactions are considered covered entities and are subject to the requirements of the rule. Police, firefighters and family members are not considered covered entities under HIPAA.
Question: How will HIPAA change the way medical providers release patient information to the media?
Under new HIPAA regulations, hospitals may maintain a directory that may only include a patient's name, location in the hospital, general condition, and religious affiliation. If a hospital chooses to maintain a directory, a patient must be given the opportunity to object to or restrict the use or disclosure of information contained in the directory. If a patient does not object to this information being included in a hospital directory, a reporter asking for the patient by name can be privy to the general condition of the patient. If media does not ask for the patient by name, no individual identifiable information about the patient may be disclosed.
Question: If a patient has been given the opportunity but has chosen not to restrict their information, what kinds of condition information may be disclosed?
If HIPAA privacy standards are met, general-condition information may be provided that does not communicate specific information about the individual. The American Hospital Association recommends the following one-word descriptions of a patient's condition.
Undetermined: Patient awaiting physician and assessment.
Good: Vital signs are stable and within normal limits. Patient is conscious and comfortable. Indicators are excellent.
Fair: Vital signs are stable and within normal limits. Patient is conscious but may be uncomfortable. Indicators are favorable.
Serious: Vitals signs may be unstable and not within normal limits. Patient is acutely ill. Indicators are questionable.
Critical: Vital signs are unstable and not within normal limits. Patient may be unconscious. Indicators are unfavorable.
Treated and Released: Patient received treatment but was not admitted.
Treated and Transferred: Received treatment. Transferred to a different facility. (Although a hospital may disclose that a patient was treated and released, it may not release information regarding the date of release or where the patient went upon release without patient authorization.)
Question: What about patients who are unconscious or otherwise unable to give advance consent for release of their information?
The privacy regulations address situations where the opportunity to object to or restrict the use or disclosure of information cannot be practicably provided because of an individual's incapacity or emergency treatment circumstance. In such a case, a health care provider may use or disclose the patient’s general condition if the use and disclosure is (1) consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and (2) in the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. Both conditions must be true for a provider to release patient information under HIPAA if the patient is incapacitated.
Question: So, for example, if a reporter is covering a traffic accident and calls the hospital asking for information about the condition of a vehicle's occupants, citing the location of the accident but not the victims' names, can the hospital provide a condition report?
Information in the directory (i.e. general condition) may be released only if the media or the public asks for the patient by name and only if the patient has not objected to or restricted the release of such information. If a patient is unable to communicate for the purpose of objecting to or restricting the use of directory information, such information can be released only if any past preferences are known and disclosure is in the best interests of the patient, in the professional judgment of the medical services provider.
Question: What if the reporter asks about the accident victim by name?
If an individual, including a representative of the media, asks for information about the patient by name, only general condition may be released and only if the patient has not objected to or restricted the release of that information.
Question: What if a reporter calls with information that is already part of the public record, such as name or condition of the patient obtained from police reports?
Police reports and other information about hospital patients are often obtained by members of the media. The claim is frequently made that once information about a patient is in the public domain, the media are entitled to any and all information about that individual. This is not true. Health care providers are required to observe the general prohibitions against releasing patient information found in the HIPAA privacy standards, state statutes or regulations and the common law, regardless of what information is in the hands of public agencies or the public in general. Requests for a patient’s health information from the media on grounds that a public agency, such as law enforcement, is involved in the matter should be denied. (If the inquiry is made by patient name a general one-word condition can be released, so as the patient has not opted out of the directory.)
Question: Can a hospital confirm that a patient has died?
Although hospitals have traditionally released information about patient deaths to the media upon request, HIPAA allows the disclosure of such information only in response to certain law enforcement inquiries; to coroners, medical examiners and funeral directors to allow them to do their jobs; and to family, a personal representative or another person directly responsible for the patient's care. Reports to public health authorities in their role of collecting vital statistics are also allowed.
One exception to this prohibition would be within the facility directory exception discussed earlier. If the patient is still within the facility, then it is arguable that death is a condition that may be disclosed as a general condition of the patient after next of kin has been notified. If the deceased patient has been removed from the facility, then the facility must obtain a signed authorization from the patient's personal representative to release information about the patient's death. No other details, however, about the circumstances, time, cause, etc. can be released without written authorization from the patient’s representative.
Question: Do restrictions on the release of patient information change if a disaster occurs?
Hospitals or other covered entities, pursuant to the HIPAA privacy standards, may disclose patient information to a public or private entity authorized by law or its charter to assist in disaster relief efforts. Information also may be released to these types of organizations for the purpose of coordinating with such entities in contacting a family member, personal representative or person directly responsible for a patient's care.
Question: How does HIPAA apply to minor children?
Minor children (under the age of 18) may have information released with the consent of a parent or legal guardian, in accordance with the guidelines listed above. Minors who are authorized to consent to specific medical procedures under state law retain control over the use and disclosure of their health information.
Question: Are EMS units or ambulance services considered covered entities under HIPAA?
To the extent that these services provide health care services to patients and bill payers or conduct other HIPAA transactions electronically, they are covered entities.
Question: How are violations enforced?
The U.S. Department of Health and Human Services' Office of Civil Rights has indicated that initially enforcement will be driven by the filing of a complaint.
Question: What are penalties for violations of HIPAA?
The government may impose civil and criminal penalties of as much as $50,000 and/or imprisonment for as long as one year. If the offense is one of disclosure under false pretenses, the fine is a maximum of $100,000 and/or imprisonment for as long as five years. If the offense is committed with the intent to sell, transfer or use patient information for commercial advantage, personal gain or malicious harm, the fine is a maximum of $250,000 and/or imprisonment for as long as 10 years.
Question: Are there other restrictions on the release of patient information, in addition to those imposed by HIPAA or hospital policy?
In addition to the limitations on release of a patient’s health information imposed by the HIPAA privacy standards, state and other federal law also may impose specific limitations.
For example, the release of any information concerning the HIV/AIDS status of a patient is prohibited under most state laws.
Patients admitted to an organized alcohol or drug-treatment program that receives any federal support are entitled to complete confidentiality, including whether they are in the program or not. Release of information about such patients must be accomplished in a specific manner established by federal regulations.
Question: Are there situations in which hospitals might establish policies for release of patient information that are even stricter than those provided in HIPAA?
HIPAA privacy standards establish a minimum acceptable threshold for the use and release of a patient’s health information. State and other federal law, as well as hospital policies, may establish stricter standards. For example, hospitals typically are very cautious about releasing information about any patient associated with the commission of a crime or where the safety and security of both patients and hospital personnel may be jeopardized.
Question: When do these new privacy rules become effective?
It is already in effect. HIPAA became effective April 14, 2001. However, the law provides that compliance with the new regulations is not required until April 14, 2003.