Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)

DRAFT

Version 4: 4/1/18

Based on Final HIPAA Security Rule & HITECH Interim Rules (8/24/09)

HIPAA COW

PRIVACY NETWORKING GROUP

DISCLOSURE OF PATIENT PROTECTED HEALTH INFORMATION TO THE MEDIA

Disclaimer:

HIPAA Collaborative of Wisconsin (“HIPAA COW”) holds the Copyright © to this Disclosure of Patient Protected Health Information to the Media Policy (“Document”). HIPAA COW retains full copyright ownership, rights and protection in all material contained in this Document. You may use this Document for your own non-commercial purposes. It may be redistributed in its entirety only if (i) the copyright notice is not removed or modified, and (ii) this Document is provided to the recipient free of charge. If information is excerpted from this Document and incorporated into another work-product, attribution shall be given to HIPAA COW (e.g., reference HIPAA COW as a resource). This Document may not be sold for profit or used in commercial documents or applications. This Document is provided “as is” without any express or implied warranty. This Document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to this Document. Therefore, this Document may need to be modified in order to comply with Wisconsin/State law.

State Preemption Issues:
HIPAA COW has addressed the state preemption issues related to Wis. Stat. 146. For disclosures of behavioral health and substance use disorder services, review Wisconsin and Federal regulations or consult legal counsel.

Policy:

It is the policy of {Insert Organization} to ensure the privacy and security of protected heath information (PHI) of patients[1] and to ensure that release of PHI to the media is disclosed along the guidelines set forth in this policy and in the best interest of the patients served.

Procedures:

1. All requests for patient PHI made by the media shall be forwarded to the appropriate administrative office/department for review and response. Requests received after regular business hours shall be forwarded to the supervisor in charge for review and determination of appropriate response.
2. The supervisor may determine that administrative review and action is required and should contact the administrator-on-call to consult and determine the appropriate response.
3. The organization may only respond to a request for specific patient information from the media after receipt and verification of a patient authorization that complies with state and federal law.[2] The only exception to this may be under disclosing “facility directory” information if the patient has not chosen to opt out of this option. Disclosure of patient information from the Facility Directory shall be carried out in compliance with patient wishes, as well as federal and state law and are limited to very general information as listed below (see attachment).1
4. Patient Name.
5. Location in the Facility.
6. Health Condition Expressed in General Terms (provided by patient care staff upon request).
7. The organization cannot share information with the media on the specifics about sudden, violent or accidental deaths, as well as deaths from natural causes, without the permission of the decedent’s legal representative or spouse or in the event that neither of these parties survive a deceased patient, an adult member of the deceased patient’s immediate family.
8. The organization will strive to protect the privacy of the patient as well as ensuring the security of the patient. Where knowledge of a patient’s location could potentially endanger the patient (i.e., the hospital has knowledge of a stalker or an abusive partner), no information of any kind will be disclosed to the media, including confirmation of the patient’s presence at the facility.
9. The organization must obtain written authorization from the patient for the following media-related activities:
10. Reporting of Admissions, Discharges and Births
11. Detailed statements (beyond “one-word”) on the patient’s condition.
12. Photographs/videotapes/other imaging or audio recordings of the patient
13. Interviews of the patient by media representatives
14. Interview of the organization/patient’s provider on the patient’s condition

In general, if the patient is a minor, permission for any of these activities must be obtained from a parent or legal guardian if not allowable under state law.

1. The organization is not responsible for addressing inquiries that are made as a result of “public record.” Matters of public record refer to situations that are reportable by law to public authorities, such as law enforcement agencies, the medical examiner/coroner or public health officer. Inquiries made from media citing access as a matter of public record should be referred to the appropriate public authority.

Disaster/Mass Casualty Situations

1. When appropriate in disaster or mass casualty situations, the organization may release general information to the media to help dispel public anxiety. The organization may state the number of patients who have been brought to the facility by gender or age group (adults, children, teenagers, etc.). Examples might include:
2. The facility is treating four individuals as a result of the explosion.
3. The facility is treating six male adults as a result of a toxic chemical leak.
4. Whenever possible, the organization shall select a spokesperson to handle media inquiries to restrict and control information shared with the public.
5. In disaster or mass casualty situations, the organization shall strive to work effectively with the media balancing the release of general information with patient privacy rights. A location may be provided for the media to be contained, so that information can be released in a press conference format that does not compromise patient privacy or the facility’s need for added security in disaster situations.
6. While the HIPAA Privacy Rule is not suspended during a natural disaster, the President of the United States may declare an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule as follows:

• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b))
• the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
• the requirement to distribute a notice of privacy practices (45 CFR 164.520)
• the patient's right to request privacy restrictions (45 CFR 164.522(a))
• the patient's right to request confidential communications (45 CFR 164.522(b))

If the Secretary issues such a waiver, it only applies:

• In the emergency area and for the emergency period identified in the public health emergency declaration.
• To hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.
• For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location. See 45 CFR 164.510(b)(4).

References:

• “Is the HIPAA Privacy Rule Suspended During a National or Public Health Emergency?” HHS.GOV – Health Information Privacy Available, 2018 at: HHS.gov
• “Guidelines on the Provision of Information to the News Media,” Office of the Assistant Secretary, 2017.
• “Guidelines for Releasing Information on the Condition of Patients,” AHA Media Advisory, November, 2002
• “Privacy/HIPAA Related Questions and Answers Pertaining to Release of PHI to News Reporters,” Bricker & Eckler, LLP, Ohio State Medical Association, 2002
• “Select a Spokesperson When Dealing With the Media,” HCPRO, August 2002
• Privacy Pre-emption Subgroup Grids for Wis. Stat.146
• Wisconsin Statutes 146.81-146.83

Attachment:

GENERAL/ONE-WORDCONDITIONDESCRIPTIONSANDDEFINITIONS

WiththeonsetofimplementationoftheHIPAAPrivacyRule,theAmericanHospitalAssociationpublishedguidelinesfor“CommunicatingAbouttheNewHIPAAPrivacyRules.”Belowisinformationpertainingtothe“condition”ofthepatientwhichmaybesharedunderFacilityDirectorydisclosures.Note:Thedescription“Stable”isnotareportableconditionandshouldnotbeused.

One-WordConditionDescription* / Definition
Undetermined / Thepatientisawaitingphysicianassessment.
Good / Vitalsignsarestableandwithinnormallimits;patient is consciousandcomfortable;indicatorsareexcellent.
Fair / Vital signsarestable and within normallimits;patient isconscious,butmaybeuncomfortable;indicatorsarefavorable.
Serious / Vitalsignsmaybeunstableandnotwithinnormallimits.Patientisacutelyill.Indicatorsarequestionable.
Critical / Vitalsignsareunstableandnotwithinnormallimits;patientmaybeunconscious;indicatorsareunfavorable.
TreatedandReleased / A hospital may disclose that a patient has been treated andreleasedbutmaynotdisclosewherethepatientwasreleasedto.
Treatedand
Transferred / A hospital may disclose that a patient has been treated andtransferredtoadifferentfacility;butmaynotdisclosethenameorlocationofthefacility.
*Death:TheOCRstates:Thefactthatapatienthas been"treatedandreleased,"or thatapatienthas died,maybereleasedaspartoftheFacilityDirectoryinformationaboutthepatient’sgeneralconditionandlocationinthefacility,providedthattheotherrequirementsat45CFR§164.510(a)alsoarefollowed.However,itisrecommendedthatOrganizationsproceedcarefullybeforedisclosingthisinformationthroughtheFacilityDirectoryprocesstoallowappropriatenotificationofnextofkin.

Version History:

Current Version: April 1, 2018

Prepared by: / Reviewed by: / Content Changed:
Mandy Coyle, MS, CHPC, CT(ASCP)
Director, Corporate Compliance,
Ascension Wisconsin
Cherri Fields, RHIT|HIM Coach HIPAA Privacy Officer/Health Information Management, Monroe Clinic
Catherine J. Hansen, RHIA
Director, Health Information Services & Privacy Officer; St. Croix Regional Medical Center / Nancy Davis, MS, RHIA, CHPS, Co-Chair, HIPAA COW Privacy Networking Group
Chrisann Lemery, MSE, RHIA, CHPS; Mercy Care Health Plans / Added preemption box; facility directory information; reference to minors.

Original Version: March 15, 2004

Prepared by: / Reviewed by:
Nancy Davis, MS, RHIA
Sheila Zweifel, RHIT / Julianne Dwyer, legal intern, UW Law School student
HIPAA COW Policy & Procedure Work Group

 Copyright HIPAA COW Page 1

[1] All patients are equal; celebrities, public figures, public officials, and patients involved in matters of public record are not subject to different standards than other patients when it comes to organizational policies for releasing information to the media.

[2] Wisconsin Statutory grid 146 directs that an authorization is required for disclosure unless there is a statutory exception allowing disclosure without an authorization. There is no statutory exception in the grid allowing disclosure to the media without a patient authorization.