Advanced Search



EMTALA
Federal Regulations
HIPAA
Infection Control
Legal Resources
Medicare
MO HealthNet
Organ and Tissue Donation
State Regulations







Release of Patient Information under HIPAA

What is HIPAA?

HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996, which was signed into law by President Bill Clinton in 1996. The law calls for administrative simplification through the adoption of national uniform standards for the electronic transmission of certain administrative and financial transactions. More relevant to the news media, HIPAA also requires covered entities (providers of medical services) to implement security and privacy standards.

Who is considered a covered entity and subject to fines and penalties under HIPAA?

All health care providers, including hospitals, physicians and emergency medical or ambulance personnel, that transmit protected health information (PHI) in electronic form are considered covered entities. Police, firefighters and family members are not considered covered entities under HIPAA.

Why should the media care about HIPAA?

HIPAA’s privacy standards may change and limit the information about patients that members of the media previously have been accustomed to obtaining from hospitals.

How will HIPAA change the way medical providers release patient information to the media?

Under HIPAA, hospitals may maintain a directory that may include a patient’s name, location in the hospital, general condition and religious affiliation. If a hospital chooses to maintain a directory, a patient must be given the opportunity to object to or restrict the use or disclosure of this information. In no event may information concerning a patient’s religious affiliation be released, except to the clergy.

What about patients who are unconscious or otherwise unable to give advance consent for release of their information?

The privacy regulations address situations where the opportunity to object to or restrict the use or disclosure of information cannot be practicably provided because of an individual’s incapacity or emergency treatment circumstance. In such a case, a health care provider may use or disclose an individual’s protected health information if the use and disclosure is (1) consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and (2) in the individual’s best interest as determined by the covered health care provider, in the exercise of professional judgment. Both conditions (1) and (2) must apply for a provider to release patient information under HIPAA if the patient is incapacitated.

So, for example, if a reporter is covering a traffic accident and calls the hospital asking for information about the condition of a vehicle’s occupants, citing the location of the accident but not the victims’ names, can the hospital provide a condition report?

Any individual, including members of the media, may request information about a patient, but directory information may be released only if the media or the public asks for the patient by name and only after the patient has been given the opportunity to object to or restrict the release of directory information. If a patient is unable to communicate for the purpose of objecting to or restricting the use of directory information, such information can be released only if past preferences are known and disclosure is in the best interests of the patient, in the professional judgment of the medical services provider.

What if the reporter asks about the accident victim by name?

If an individual, including a representative of the media, asks for information about the patient by name, only directory information may be released and only if the patient has not objected to or restricted the release of the information.

What if a reporter calls with information that is already part of the public record, such as name or condition of the patient obtained from police reports?

Police reports and other information about hospital patients often are obtained by media. The claim is frequently made that once information about a patient is in the public domain, the media is entitled to any and all information about that individual. This is not true. Health care providers are required to observe the general prohibitions against releasing PHI about patients found in the HIPAA privacy standards, state statutes or regulations and the common law, regardless of what information is in the hands of public agencies or the public in general. Requests for PHI from the media on grounds that a public agency, such as law enforcement, is involved in the matter should be denied.

Can a hospital confirm that a patient has died?

Yes. The fact that a patient has died may be released as part of the directory information about the patient's general condition and location in the facility if other conditions related to directory information are met (for example, the patient must have had an opportunity to object to inclusion in the directory).

Do restrictions on the release of patient information change if a disaster occurs?

Hospitals or other covered entities, pursuant to the HIPAA privacy standards, may disclose PHI to a public or private entity authorized by law or its charter to assist in disaster relief efforts. PHI also may be released to these types of organizations for the purpose of coordinating with such entities in contacting a family member, personal representative or person directly responsible for a patient’s care.

How does HIPAA apply to minor children?

Minor children (under the age of 18) may have information released with the consent of a parent or legal guardian, in accordance with the preceding guidelines. Minors under age 18 who are authorized to consent to specific medical procedures under state law retain control over the use and disclosure of PHI.

When do these new privacy rules become effective?

HIPAA became effective April 14, 2001. Enforcement of the new regulations began April 14, 2003.

How are violations enforced?

Violations will be enforced on a complaint basis by the U.S. Department of Health and Human Services’ Office of Civil Rights.

What are the penalties for violations of HIPAA?

The government may impose civil and criminal penalties of as much as $50,000 and/or imprisonment for as long as one year. If the offense is one of disclosure under false pretenses, the fine is a maximum of $100,000 and/or imprisonment for as long as five years. If the offense is committed with the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm, the fine is a maximum of $250,000 and/or imprisonment for as long as 10 years.

Are there situations in which hospitals might establish policies for release of patient information that are even stricter than those provided in HIPAA?

HIPAA privacy standards regulations establish a minimum acceptable threshold for the use and release of PHI. State and federal law, as well as hospital policies, may establish stricter standards. For example, hospitals typically are very cautious about releasing PHI about any patient associated with the commission of a crime or where the safety and security of both patients and hospital personnel may be jeopardized.

Are there other restrictions on the release of patient information, in addition to those imposed by HIPAA or hospital policy?

In addition to the limitations on release of PHI imposed by the HIPAA privacy standards, state and federal law also may impose specific limitations.

For example, the release of any information concerning the HIV/AIDS status of a patient is prohibited under Missouri and Kansas state law.

Patients admitted to an organized alcohol or drug-treatment program that receives any federal support are entitled to complete confidentiality, including whether they are in the program or not. Release of information about such patients must be accomplished in a specific manner established by federal regulations.

If a patient has been given the opportunity to restrict PHI and has not opted to restrict information, what kinds of condition information may be disclosed?

If HIPAA privacy standards are met, general-condition information may be provided that does not communicate specific information about the individual. The American Hospital Association recommends the following one-word descriptions of a patient’s condition.

  • Undetermined — Patient awaiting physician and assessment.

  • Good — Vital signs are stable and within normal limits. Patient is conscious and comfortable. Indicators are excellent.

  • Fair — Vital signs are stable and within normal limits. Patient is conscious but may be uncomfortable. Indicators are favorable.

  • Serious — Vitals signs may be unstable and not within normal limits. Patient is acutely ill. Indicators are questionable.

  • Critical — Vital signs are unstable and not within normal limits. Patient may be unconscious. Indicators are unfavorable.

  • Treated and Released — Patient received treatment but was not admitted.

  • Deceased

Note: The term “stable” should not be used as a condition. Furthermore, this term should not be used in combination with other conditions, except for those described above, because most conditions, by definition, often indicate a patient is unstable. With written authorization from the patient, a more detailed statement regarding a patient’s condition and injuries or illness can be drafted and approved by the patient or legal representative.

Are EMS units or ambulance services considered covered entities under HIPAA?

EMS units or ambulance services that provide health care services to patients are considered health care providers under HIPAA. However, health care providers, including EMS and ambulance services, are considered covered entities subject to the HIPAA patient privacy regulations only if they transmit any health information in electronic form.

EMS units frequently ask hospitals for protected health information to conduct quality review activities and for payment purposes. Is the disclosure of PHI to EMS units by hospitals allowable because it is considered to be “use and disclosure of PHI for treatment, payment and operations” under HIPAA?

Recent changes to the privacy regulations published Aug. 14, 2002, allow disclosure of PHI from one covered entity to another for these purposes.

Can clergy obtain access to names of patients in a hospital to determine if members of their congregations have been admitted?

Yes, if a patient has given permission. A patient must be asked by a hospital if his or her name may be included in a hospital directory. A patient also must be asked if religious affiliation may be included in the directory. The patient may agree or object to the inclusion of his or her name or religious affiliation in the directory. If the patient objects to inclusion of his or her name, clergy may not be told that person is in the hospital. If the patient does not object, clergy may receive the directory information without asking for the patient by name.


Missouri Hospital Association
November 2003



©2003 Missouri Hospital Association, 4712 Country Club Drive, P.O. Box 60, Jefferson City, MO, 65102-0060
Privacy Policy | Site Map | Phone 573/893-3700 | Fax 573/893-2809 | Contact Us

Home | Directories | Employee Background Checks | Hospital Data Services | Convention & Trade Show | Governmental Relations
Law/Regulations| Workforce | Disaster Preparedness| Communications | Education | Health Improvement/Quality | About MHA