Minimize HIPAA mistakes when responding to the media
It doesn’t matter whether your facility is located in the largest U.S. metropolitan area or a small town; a media presence exists nationwide. And when newsworthy events occur or you admit newsworthy patients into your hospital, media members will surely buzz around your lobby and pepper your phone lines in search of information.
Hospitals of all sizes must develop and enforce strict rules that guide staff members who receive media requests for information. And a well-written policy is only the beginning; staff members must be trained to ensure that they respond appropriately to persistent members of the media trying to scoop the competition.
First things first
Start by implementing a comprehensive policy or an internal structure that directs all requests—not just those you deem questionable or malicious—to your media relations or marketing department. The belief that media challenges occur only on those rare occasions when a celebrity crosses your threshold is a common misconception.
The likelihood that Brad Pitt will walk in to most hospitals is virtually nil. But the town mayor might become a patient, and that could attract the attention of local media. A crime that occurs on your premises could also spark interest, as could the admission of a crime victim or alleged perpetrator.
Members of the media seeking tabloid fodder raise obvious concerns, but the pursuit of seemingly harmless human interest stories may also be problematic. For example, consider the media outlet striving to photograph the first baby born in 2009. As innocent as this might appear, proper authorization from the infant’s family is necessary; otherwise, it could be a HIPAA violation.
What HIPAA says on the subject
“Hospitals may release patient identity, even indirectly identifying a patient, to the media only with the written authorization of the patient or patient’s legal representative,” says Kate Borten, CISSP, CISM, president of The Marblehead Group, a healthcare information security and privacy consulting group in Marblehead, MA. “Details, such as a patient’s medical diagnosis, are also only released as authorized by the patient or legal representative.” Your state law may be more restrictive.
“Keep in mind that state law may be more stringent in regard to sensitive information, such as substance abuse and behavioral health conditions,” says Lisa K. McCusker, CPC, corporate compliance and privacy officer at Sisters of Providence Health System in Springfield, MA. “State law determines what can be released, and, most often, this sort of information can never be released,” she says. Your organization’s policies might be even more restrictive than state law or HIPAA.
“Policies of the hospital should define these rights of the patient and what can and cannot be released,” says McCusker, whose advice is to play it safe. “You should always follow the most restrictive policy.”
All PHI deserves respect
Patients may release any protected health information (PHI) they choose. But written patient authorization is necessary for a healthcare provider to release PHI to the media.
The following information requires authorization so as not to compromise a patient’s identity:
- Reports of birth
- Discharge and admission data
- Detailed statements on patient condition
- Audio and imaging
- Patient interviews
- Interviews with the patient’s provider
PHI isn’t necessarily clinical in nature. Regardless of whether it’s a patient’s diagnosis or apartment number, PHI is PHI. “HIPAA does not make the distinction between a patient’s demographic information and clinical information,” Borten says. “It’s all confidential.”
Certain information is potentially more damaging if it is released without authorization. For example, releasing the names of patients treated at an AIDS clinic reveals a clinical diagnosis, but releasing patient names at a dentist office is rather innocuous, Borten says.
Organizations that haven’t established a media relations department or designated a spokesperson should do so; this measure will help ensure proper management of media inquiries and appropriate responses.
Establish a written policy that requires all media requests to proceed through designated channels and considers any exception to this practice a breach of the policy.
“Follow the KISS (keep it simple, stupid) rule,” says Borten. “Just don’t talk to the media other than to give the name of [the media contact].”
Mistakes are more likely when someone is unsure of the appropriate response, so it’s never wise to permit anyone other than designated staff members to respond to media requests, McCusker says. Organizations that designate a specific department to respond to media requests, such as marketing or PR, are often among the most successful in this regard, she says.
Emphasize to your staff members that this is a serious concern. Organizations respond to breaches differently, but most policies include sanctions that range from verbal to written disciplinary action, as well as suspension and termination.
Creating a list of the various types of media that may request information is a good idea, says Borten.
For example, staff members might not consider bloggers members of the media. The need to reroute them to the media relations department might not be as obvious as the need to refer traditional newspaper and television reporters there.
Include training on handling media requests in your basic orientation and HIPAA training package, and keep it simple, McCusker says.
The goal of your training sessions should be to inform staff members of the organization’s spokesperson and let them know that passing on requests to that person is the only appropriate response to media requests.
The spokesperson, as well as others in the media relations department, should also ensure that certain areas, such as sterile environments and examination rooms, are off-limits to members of the media, McCusker says.
Health Information Compliance Insider, September 2008, HCPro, Inc.