COVID-19 reporting under HIPAA
Personal identity and privacy are big topics in the information age. Most people like to keep the details of their health to themselves and their closest friends and loved ones. In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability Act, which prevents certain health care providers and associated businesses from releasing personally identifiable information. The law went into effect in 2003, and while it certainly has benefits, it has become a stumbling block for reporters trying to do health and medicine reporting.
Reporters aren’t against HIPAA. Most reporters (I can’t speak for all of them) aren’t trying to disclose the health information of private citizens without permission. Our goal is to tell impactful stories with a minimum of harm. This can usually be done with anonymized data and expert interviews. We don’t need to know the identities of each patient, just some statistics about what type of person seems to be at risk for a disease, or eligible for a new treatment. Often we might just ask for it. With a government entity like a health department we might file a Freedom of Information Act request for it.
The problem develops because the people who handle the information are medical professionals, not lawyers, and don’t always know HIPAA, and reporters don’t always, either. Most HIPAA training amounts to telling staff not to ever give out patient information except in authorized transfers to other healthcare businesses. Hospital and health department staff will often develop a policy of turning down all other requests for information, simply out of fear of violating the law or getting reprimanded.
This is understandable, nobody wants to get in trouble at work, but it leaves the reporter empty-handed and unable to do their own work — informing the public. And that in turn leaves the public in the dark about the health of their community.
There are a few things every reporter, healthcare employee, and patient should know about HIPAA.
First, HIPAA applies to information about an individual’s health status, care and payment information. So, insurance plans and billing information are protected information under the law, not just your medical record.
Second, the restrictions only apply to information that can identify an individual. The hospital can’t share who exactly has a disease, but they can share how many people with a certain disease they have treated, and what that treatment included.
This is where HIPAA gets a little tricky. The law states that the information released can’t identify an individual, or be used to identify an individual in conjunction with other publicly available information, like Facebook or the phonebook. It’s more than just names.
If a hospital is going to release information, there are certain categories of information that have to be removed or redacted. Names, of course, but also any date more specific than the year, including birthdates, admittance and discharge dates, and date of death. Contact information including addresses has to be removed. Any unique identifiers, social security numbers, account numbers, billing and record numbers and vehicle identifiers are all private and off limit, even for the medical devices used in treatment. So are photographs and biometric identifiers like fingerprints, if they’re taken.
The part that matters most now, while an infectious disease is spreading in the world, is location information. This also gets a little tricky because it is dependent on population density. If a patient is located in a zip code with more than 20,000 people, then the zip code alone is allowed to be released. If it’s in a zip code of less than 20,000, then only the first three numbers of the zip code can be released. Since Houghton County only has about 35,000 people living in it, the health department and hospitals can’t, under federal law, be any more specific about where exposed people have been found.
COVID-19 contact tracing and testing data might be kept in a database that could include all of the above categories covered by HIPAA and more. Those protected categories could be removed from a digital spreadsheet quite easily, and what remains could give reporters and other members of the public valuable information about local treatment and preparedness. Or there might be nothing left of the database, depending on what information has been gathered. Either way, the key is keeping individuals from being identifiable from whatever information is released to the public.
Finally, HIPAA also allows for the disclosure of “directory information”. That means if you call into a hospital or other treatment facility and ask for someone by name, they can tell you if and where the patient is and what their general condition is. This is how reporters check on car crash victims, fire survivors, and other individuals for some articles.
While health officials and reporters both struggle with HIPAA restrictions at times, knowledge of the law can allow both parties to do their jobs without putting anyone’s personal information at risk of exposure.
Joshua Vissers holds a B.A. in multimedia journalism and is associate editor at the Daily Mining Gazette. Send questions to firstname.lastname@example.org.