John Roska: HIPAA covers patient privacy

John Roska: HIPAA covers patient privacy

Q: Why do hospitals refuse to provide information in news stories? Is it illegal for a hospital or doctor to say they are treating someone? If that were true, I'd never be able to call or visit someone in the hospital.

A: Doctors and hospitals are required to protect patient privacy, which can prevent them from naming who they're treating. But if they're asked by name, they can say if they're treating someone. That's why you can call a hospital and be connected to a patient's room.

A doctor's ethical duty to keep patient information confidential goes back at least to Hippocrates. Like most states, Illinois makes that ethical duty a legal one: "No physician or surgeon shall be permitted to disclose any information he or she may have acquired in attending any patient." Breaching that duty can be medical malpractice.

Federal law also addresses patient privacy. That's primarily done through the Health Insurance Portability and Accountability Act, a 1996 law designed to make it easier to continue insurance coverage when you change jobs. The "administrative simplification" parts of HIPAA promote the electronic transfer of medical records.

Technically, HIPAA's privacy rules only apply to the transmission of "health information in electronic form." In practice, though, they cover all information kept by all medical providers (e.g., hospitals, doctors, HMOs, insurance companies and pharmacies).

Anyone or anything covered by HIPAA "may not use or disclose protected health information" without written consent. To keep things private, HIPAA sets standards for what kind of security systems "covered entities" must use.

While HIPAA is very pro-privacy, it doesn't prohibit the release of all information. The regulations specifically say providers can keep a "directory of individuals in its facility." That directory can only include someone's name, their location in the facility (e.g., room number), and their "condition described in general terms that does not communicate specific medical information about the individual."

The rules don't say any more about how "condition" can be described. The American Hospital Association, though, advises choosing one word from the following list: undetermined, good, fair, serious, or critical.

The rules do say that this directory information can be provided to "clergy," and "to other persons who ask for the individual by name."

Patients can delete their information from a directory, or restrict to whom it's released. That's how your hospital can keep things secret, even if people call asking about you. Celebs do it all the time.

Hospitals must notify patients of this right to "object."

So, if a reporter calls asking who got admitted for a gunshot wound, a hospital can't say. But if someone asks by name, a hospital can say if they're there, and state their condition. The hospital doesn't have to, but it's not a HIPAA violation if they do.

Hospitals can also provide information that doesn't disclose patient identity. It's OK, for example, for San Francisco General Hospital to say it treated 66 air crash victims. But a list of the injured would violate HIPAA.

John Roska is a lawyer with Land of Lincoln Legal Assistance Foundation. You can send your questions to The Law Q&A, 302 N. First St., Champaign, IL 61820. Questions may be edited for space.

Sections (1):Living