Press topic

HIPAA & newsgathering
By Andrew M. Mar and Alison Page Howard
Lawyers, Davis Wright Tremaine LLP

Journalists throughout the country are wrestling with the impact of the Health Insurance Portability and Accountability Act, a federal health-privacy law that went into effect April 14, 2003.1

Fortunately, HIPAA does not regulate what the news media can report about. Nonetheless, journalists should be prepared to deal with and, if necessary, challenge, the manner in which agencies they cover interpret these regulations.

Perhaps because HIPAA imposes stiff penalties on agencies that disclose private health information, there are instances of law enforcement and fire department personnel saying they can no longer disclose information — such as names, addresses and medical conditions — once commonly disclosed. In Chicago, for example, the press had a difficult time reporting on a deadly porch collapse in late June 2003 because hospitals refused to disclose routine information about the victims. In addition, while the Washington State Patrol quickly recognized that HIPAA does not apply to it, other law enforcement agencies have refused to respond to reporters' requests for information, claiming HIPAA prevented them from releasing it. Thus, the Vancouver, Wash., Police Department cited HIPAA when it refused to confirm whether a kidnap victim had been assaulted. While municipal attorneys later clarified that HIPAA did not apply to the police department, the department's initial response — and the related delay in release of information — reflects the chilling effect that HIPAA has created.

Fortunately, some states are clarifying what type of information is covered by HIPAA. In Texas, for example, the attorney general issued an opinion in February 2004 that the state's public-information law takes precedence over HIPAA, and health-care information must be disclosed unless it is covered by a specific exemption. The opinion is available here. In addition, according to news reports, Kentucky, Arkansas and Utah are also involved in HIPAA reviews.

What HIPAA does and does not cover
HIPAA applies only to businesses or agencies that bill or receive payment for health-care services or transmit information for payment in electronic form. Business or agencies covered by HIPAA generally cannot disclose, without the patient's consent, personally identifying information such as names, addresses or specific medical condition. Thus, in most cases, a hospital cannot give journalists a patient's name. However, the hospital should be able to confirm if a patient the journalist names is in the hospital and provide some additional details such as general medical condition, an age range and a general address (including that person's state or region).

It is not clear how HIPAA and the Freedom of Information Act interact. Some public-information officers have contended HIPAA requirements supersede FOIA disclosures, but journalists should still be able to obtain some information from public-records requests.

HIPAA does not apply to every entity that has a health-care function. For example, it does not apply to a medical examiner's or prosecuting attorney's office. Records that should generally still be available include police- or fire-incident reports, birth records, autopsy records and court records. In fact, for entities such as the fire department or police department, which offer health-care services as an ancillary service, HIPAA should apply only to health-care information generated by the ancillary service. In other words, if a fire department public-information officer (PIO) sees an individual burned at a fire, but the individual drives herself to the hospital, then the department PIO may disclose information about the injured person because it was not obtained as part of the fire department's health-care service.

What journalists can do
Health-care information the media obtains independently is not subject to HIPAA and may be published or broadcast freely, subject to limitations and internal policies on printing information about minors or the deceased. Because HIPAA prevents covered agencies from disclosing names, reporters should obtain as much information as possible from non-covered agencies before turning to hospitals or medical providers for confirmation.

Journalists should also be prepared to challenge a source's claim that a particular agency is covered by HIPAA. If a law enforcement agency, fire department or other agency claims it cannot provide health-care information because of HIPAA, one helpful resource may be a Department of Health and Human Services Web page that can help answer such questions as "Is a Person, Business, or Agency a Covered Health Care Provider?" This Web site will ask a few questions designed to determine if the business or agency is covered. Walking a source through this short question-and-answer process may help convince him or her that HIPAA does not apply.

To assist in efforts to understand and clarify the impact of HIPAA, journalists should collect examples of information they are unable to obtain because of HIPAA (whether applied correctly or incorrectly). With this information industry groups such as the Newspaper Association of America and American Society of Newspaper Editors can explore lobbying and potential litigation that will clarify the impact of HIPAA on newsgathering at the national level. At the local level, reporters and editors should meet with agency public information officers to clarify their application of HIPAA. In this way, the media can help structure the application of HIPAA and take action to remedy its inevitable misuses.

[Editor's note: The Reporters Committee for Freedom of the Press reported in August 2004 that a federal district judge in Denver had dismissed a lawsuit against a newspaper brought by a hospital under HIPAA. HIPAA "displays no intent to create a private right of action" for the release of private health-related information, ruled Judge Walker Miller on Aug. 2. He said HIPAA regulated only those "who might have access to individuals' health information."]


1HIPAA is codified at 42 U.S.C. Sect. 1320d-6. The implementing regulations can be found at 45 C.F.R. Sects. 160, 164.

Andrew M. Mar and Alison Page Howard are associates in the Seattle office of the law firm Davis Wright Tremaine LLP. This article first appeared in the Spring 2004 issue of the firm’s First Amendment Law Letter and has been reprinted with permission.