Healthcare journalism and HIPAA compliance

According to an article titled "Journalists Get Guidance on Navigating HIPAA Rules," published by the Association of Healthcare Journalists, “HIPAA, as it was birthed into law in 1996, was intended to make it easier for people to keep their health insurance when they change jobs. The law set standards for the electronic exchange of patient information, including protecting the privacy of such records. The U.S. Department of Health and Human Services issued the Privacy Rule to implement that aspect of the law, and its Office of Civil Rights is in charge of enforcing it.”

Furthermore, “The Privacy Rule, which went into effect in April 2003, has made it more difficult for reporters to get information about individuals’ health care, such as the names and condition of accident victims. Hospital employees and reporters not well informed about the law make things even harder. Journalists are obligated to report public health issues, and misinformation about HIPAA on the part of health providers can be a roadblock in getting information out to a community, noted Kenny Goldberg, health reporter for KPBS, San Diego Public Radio.”

Understanding HIPAA's privacy rule for journalists

The Health Insurance Portability and Accountability Act, enacted in 1996, established national standards to protect sensitive patient health information. While HIPAA covers many aspects of healthcare administration, its Privacy Rule directly impacts journalism in healthcare settings.

The Hospital-Media Relationship and Patients’ Privacy: Codifying The Ethical Guideline article explains, “In the USA, the right to patient privacy is under legal protection. After the establishment of HIPAA, state medical associations have provided guidelines to protect the privacy of healthcare recipients in interacting with news media. The American Medical Association (AMA) was the first organization to adopt a social media guideline named Professionalism in the Use of Social Media. This means that hospital-media relationships need ethical and professional considerations. This event was followed by the adoption of other guidelines related to the American Nurses Association (ANA) and American Society of Health-System Pharmacists (ASHP) among others, which shows the importance of the issue. All of these guidelines acknowledge the credibility, privacy, and efficiency of both parties; the media and the health system.” 

The journalism knowledge gap

One of the challenges in health reporting is the lack of specialized knowledge in healthcare privacy laws, such as HIPAA. A 2015-2016 study conducted on 34 health journalists in Isfahan revealed the following:

• 65% of journalists had no specialized training in health reporting
• 59% had a moderate to low understanding of medical terminology
• 35% struggled to understand health issues
• 88% believed the ability to interpret medical research was the most important skill required for health journalists
• 97% expressed a strong willingness to participate in specialized health education

This lack of training and understanding creates a knowledge gap in the field, especially when it comes to the legal complexities of reporting on health information. Many journalists find themselves uncertain about what patient information can legally be shared or how to navigate privacy concerns, which could potentially lead to legal missteps.

Required permissions for journalists in healthcare settings

A Reporter’s Guide to Medical Privacy Law noted that, “For health care journalists, the Health Insurance Portability and Accountability Act has changed the way they do their jobs and made telling the stories of patients and those who provide their care more difficult. Reporters say they devote more time than ever before negotiating for access for health-related articles, often to no avail. ‘From stories our members tell us, some hospitals use HIPAA as a convenient way to obstruct reporters. Journalists are spending more time arguing over inaccurate interpretations of the law with hospital media relations specialists,’ said Carla K. Johnson, a board member of the Association of Health Care Journalists.”

A Reporter’s Guide to Medical Privacy Law outlines considerations for journalists when navigating hospital access and patient privacy, providing insights into the American Hospital Association's (AHA) guidelines for handling media requests. These guidelines include:

• General access to hospitals: The American Hospital Association has guidelines for its members on how to respond to media requests generally. Journalists need to know what hospitals are being told but should note that the association’s guidelines may be more restrictive than the law requires. 
• Access to patients’ rooms: Hospitals should not give out a patient’s room number without the patient’s permission.
• Direct contact with patients: Hospitals should not allow reporters to contact patients directly. A representative of the patient should handle media calls. The hospital should deny media access to a patient if the hospital thinks it would interfere with the patient’s care.
• Inside of the hospital: Hospital staff should always accompany reporters when they are inside the hospital. The staff can deny access to any area they believe patients have an expectation of privacy, including the emergency room, intensive care units and nurseries.
• Photographs and interviews: Both photographs and interviews require written consent of the patient. Background photos taken in public spaces are not addressed directly by HIPAA, but in general the hospital cannot release identifiable photos without patient permission. Hospital staff, rather then reporters, should approach people for permission.
• Directory information when a patient has opted out: Patients can elect to not have their information included in the hospital directory, or have their information listed but not available to the press. If the patient does not want information given to the press, the hospital should ask the relationship to the patient of anyone who is calling for a condition report. If a patient has opted out of the directory, the hospital should not respond with that information because it would disclose the patient’s presence. The AHA recommends saying, “Federal medical privacy regulations allow the hospital to release to the media only information in the hospital’s directory” and “the hospital does not have any information about the person in its directory.” 

According to HHS guidance, "It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients' PHI, absent an authorization, in the first place."

This means journalists cannot first interview or photograph patients and then decide to obscure their identities—authorization must precede any reporting that could capture PHI.

Case study: Saint Joseph’s Medical Center's unauthorized release of COVID-19 patient information HIPAA violation

In 2020, Saint Joseph's Medical Center in Yonkers, New York, became involved in a HIPAA breach after confidential patient information was released to the media. This violation followed a report by the Associated Press detailing the hospital's response to the early COVID-19 outbreak, which led to an investigation by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR).

The investigation

The Associated Press published an article on April 28, 2020, highlighting the hospital’s actions during the COVID-19 pandemic. The report included:

• Photographs of patients in the emergency department
• Detailed information about patients' COVID-19 diagnoses, vital signs, treatment plans, and prognoses. The AP report, while intending to document the hospital's response to a public health emergency, included sensitive patient information that violated HIPAA privacy protections.
  
  

The breach

The breach occurred when:

• Saint Joseph’s Medical Center provided the Associated Press with detailed patient information, including medical statuses and treatment details, without patient consent
• The media outlet used this information in its coverage, inadvertently exposing patients’ private health data
  
  

The consequences

Following the breach, the Office for Civil Rights (OCR) initiated an investigation, which led to:

• A settlement with Saint Joseph’s Medical Center, which agreed to pay an $80,000 fine
• A requirement for the medical center to implement corrective measures, including the development of written policies to comply with HIPAA regulations
• Mandatory staff training on patient privacy laws
• OCR oversight of the medical center’s compliance for two years

The hospital was held accountable for the unauthorized disclosure of patient health information, emphasizing the importance of safeguarding patient privacy, especially during public health crises.

Lessons learned

This case shows several lessons for healthcare facilities and the media:

• Patient consent is essential - Healthcare providers must obtain proper consent before releasing any patient information to the media.
• Media responsibility - Media outlets must be vigilant when reporting on healthcare issues and avoid including sensitive patient information without consent.
• Training and policies - Both healthcare organizations and media outlets should implement privacy training and policies to prevent HIPAA violations.
• Enforcement of HIPAA compliance - Healthcare facilities must ensure they adhere to HIPAA’s privacy rules, particularly in times of crisis when media coverage may increase.

Healthcare journalism in public health emergencies

During public health crises like the COVID-19 pandemic, special considerations apply:

• Public health authorities may release more aggregate information
• Emergency protocols may modify some privacy requirements
• The public interest in timely information becomes more compelling
• Healthcare facilities may implement modified media policies

However, individual patient privacy remains protected even during emergencies. Journalists should:

• Focus on official statements from authorized spokespersons
• Rely on properly anonymized data when reporting on cases
• Continue to obtain consent for individual patient stories
• Be particularly careful with identifiable information in underserved communities

Learn more

• Protocols for safeguarding patient information during emergencies
• What PHI can be shared in an emergency?

FAQs

How can healthcare journalists avoid HIPAA violations?

Journalists can avoid violations by obtaining written consent before using patient information, being mindful of the environment during interviews and photography, and following best practices for safeguarding data.

Are there special considerations for healthcare journalism during public health emergencies?

Yes, while public interest increases, journalists should still respect patient privacy and rely on aggregated or anonymized data when reporting on individual cases during such crises.

What should hospitals do to prevent HIPAA breaches in media interactions?

Hospitals should train staff, develop clear media policies, and ensure that patient consent is obtained before any information is shared with journalists.

Can journalists use photographs taken in public spaces without violating HIPAA?

Photographs taken in public spaces may not be directly addressed by HIPAA, but identifiable photos of patients require consent before use, even if captured in public areas.

How should healthcare journalists handle patient interviews?

Journalists must obtain written consent from patients for interviews and photos, and healthcare facilities should facilitate this process to ensure compliance with HIPAA.