Featured Health Business Daily Story, June 14, 2012

When a Journalist Calls, Mum’s the Word Without an Authorization

Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.

June 2012Volume 12Issue 6

The trouble that a hospital in California recently encountered as a result of inquiries by journalists provides an opportunity to review how HIPAA governs such exchanges. While covered entities have some options, in general, they “are still obligated to abide by HIPAA” and need to accept that they most likely won’t be able to say as much as they’d like, says Jeff Drummond, a partner in the Dallas office of Jackson Walker LLP.

Although on his blog (http://hipaablog.blogspot.com) Drummond called the situation involving Shasta Regional Medical Center “fun to watch,” he told RPP “the Shasta guys were just wrong” to assert that because a patient had shared her protected health information with a reporter, that meant she had “waived” her HIPAA rights and that the hospital was also free to discuss her care.

The state of California recently cited the hospital for violating state medical privacy laws, and it faces an investigation by the Office for Civil Rights. The reporter was investigating whether the hospital had upcoded a patient by inappropriately claiming she suffered from a rare nutritional disorder called kwashiorkor, and his story was the subject of subsequent articles by two other news organizations (see story, p. 1).

“A patient can’t just waive his or her privacy rights,” but “must take specific steps to do so, and the hospital can’t rely on an ‘implicit’ waiver because the patient spoke about the matter to some other individuals,” Drummond says. Such a conversation “doesn’t mean that [patients] no longer have any expectation of privacy with respect to that PHI.” A key point: “The individual gets to choose where his or her PHI goes,” Drummond says.

Drummond’s advice for how CEs can respond to reporters is also applicable to communications with other individuals who are not the patient, including an attorney or a personal representative.

“If a reporter, attorney, or some other person comes to a hospital and asks questions, indicating that they have some information about a person, the hospital has a couple of choices,” he says. “It cannot discuss the individual’s PHI with the reporter or attorney unless the hospital knows that such a disclosure is OK; the attorney might have power of attorney or otherwise be considered the personal representative of the patient, or might have an authorization signed by the individual that allows the hospital to discuss PHI with the attorney.”

But unless the individual provides an authorization from the patient or shows documentation “that the person is the personal representative, the hospital must treat the questioner as any other person, and not disclose PHI unless specifically allowed,” Drummond says.

While this means that “the provider’s hands are tied, and the patient has an unfair advantage in the public relations battle, the hospital does have a few things it can say and do,” he says.

Hospital Should Not Discuss the Matter

“First, the hospital should make sure the reporter knows that the hospital can’t talk about the matter” due to HIPAA requirements, Drummond says. The hospital could say something like, “We’d love to tell you exactly what happened, but we can’t because of HIPAA, and we take our HIPAA obligations very seriously,” he suggests.

Next, it can “outline the steps the reporter could take to allow the hospital to discuss the matter,” Drummond advises. “Specifically, tell the reporter that the hospital would love to discuss the matter, and give the reporter the whole story, but the reporter needs to get the patient’s authorization to allow the hospital to discuss the matter.”

While this might not happen — the patient isn’t required to give such authorization — “that puts the reporter on notice that there is more information to the story, and it’s the patient, not the hospital, who is stonewalling and preventing the story from getting out,” he says.

Thirdly, a hospital can always release “non-patient-specific information,” Drummond points out. Officials “can talk about general parameters of medical care and the hospital’s experience and volume, as long as doing so wouldn’t reveal any information that might be used to identify a patient,” he says.

Responses Should Be General

In other words, don’t say, “We had one patient with XX,” because “that could potentially allow someone to identify a particular patient,” Drummond says.

For example, if the patient complained to the press that he or she “had a wrong-site-of-surgery issue, the hospital spokesperson could say that the hospital reviewed all surgical procedures done in the last year and did not identify any wrong-site-of-surgery cases,” he says.

A hospital official could also say “I can’t say anything about this specific patient unless she gives you an authorization that would allow me to talk to you. If you’d like, I can provide you with a form, and if she’ll sign it, I can discuss her case with you,” says Drummond.

In Shasta’s case, the hospital could have done the following: In the absence of an authorization, a hospital official could have said, for example, “I won’t even discuss whether she was or wasn’t a patient here. But I can say that, within the last year, this hospital treated 450 patients who had diagnoses that included some component of malnutrition, and of those, 122 were diagnosed with kwashiorkor,” says Drummond, speaking as a hospital representative might. “We have reviewed all 122 of those cases, and believe that in all 122 cases, the diagnosis and treatment were consistent with the physician’s notes and test results. We have established clinical pathways for treatment of certain malnutrition diagnoses, and are comfortable that our standards and protocols are consistent with sound medical practice and national benchmarks. Again, while I can’t discuss this specific patient, we are confident that the care we provide our patients is excellent.”

Drummond concludes that “The deck is definitely stacked against the providers…but that’s the way the rules work.”

© 2012 by Atlantic Information Services, Inc. All Rights Reserved.

Get instant compliance news! Follow AISCompliance on Twitter or “Like” AISHealth on Facebook.

It's quick and easy to sign up for FREE access to AISHealth.com!

Why do I need to register?