Reports of COVID-19 Diagnoses by Media Suggest Violations of HIPAA
When famous people are diagnosed with an illness or suffer an accident, that can be headline news. The Health Insurance Portability and Accountability Act (HIPAA) has no provisions that cover newspapers, websites, or other media outlets. Consequently, reporters can publish information about injuries and illnesses without fear of any reprisals, at least as far as HIPAA is concerned. When health information is reported, the reporter may be in the clear but that does not mean that HIPAA has not been violated.
There have been several cases where reporters have been contacted by hospital employees and have been provided with information about famous patients. When that information has been provided to a reporter by an employee of a hospital or other HIPAA-covered entity, the individual leaking the information will have violated HIPAA. A disclosure of protected health information (PHI) to the to the media by a hospital employee is generally not permitted by the HIPAA Privacy Rule.
The exception to the rule being if authorization has been given by a patient, in writing, to speak with the media and to disclose certain information, or when a request is received about a patient, by name, for information. In the case of the latter, it is permitted only to disclose general information about the patient, such as their status – deceased, critical, stable etc. – and only then when a request has been received about a patient who is mentioned by name.
Back in 2015, the New York Giants player, Jason Pierre-Paul, had details about a finger injury reported by ESPN reporter Adam Schefter. Schefter had not violated HIPAA, but his source was almost certainly at the hospital where Pierre-Paul had received treatment and that individual would have violated HIPAA.
More recently, a physician at Allergy Associates of Hartford in Connecticut spoke to a local news outlet about a patient who had submitted a complaint. Despite being advised by the practice not to speak to the media, and to instead to say ‘no comment’, the physician spoke out, and impermissibly disclosed some of the patients PHI. The HHS’ Office for Civil Rights (OCR) took action over the HIPAA violation and fined the practice $125,000 for the violation.
Disclosures to the media about illnesses has come under the spotlight once again following reports in the media about two high profile patients who have contracted COVID-19.
Ezekiel Elliott, a running back for the Dallas Cowboys, was named as having contracted COVID-19 by the NFL reporter Ian Rapoport, who tweeted about the diagnosis. The source of the information was not disclosed, but Elliot was certainly not best pleased. Elliott tweeted suggesting HIPAA may have been violated.
Around the same time, another disclosure to the media about a COVID-19 diagnosis was made, and again, questions have been raised about a potential HIPAA violation. Melinda Mitchel, Mayor of St. Martinsville in Louisiana, contracted COVID-19 and a newspaper reported that she had tested positive. That information had not come from the mayor’s team, and it appears that a hospital or testing facility employee may have leaved the information. Mayor Mitchell’s lawyers are now investigating to try to uncover the source of the leak and will take action if it turns out that HIPAA has been violated.
The issue of disclosures to the media has been covered by the HHS’ Office for Civil Rights on multiple occasions, but a reminder was issued on May 5, 2020 that the HIPAA Privacy Rule remains in effect during the COVID-19 public health emergency. While Notices of Enforcement discretion have been issued by OCR about certain aspects of HIPAA Rules, disclosures to the media are not covered and can still attract major financial penalties. PHI can only be disclosed to the media if prior authorization has been obtained from the patient in writing, and that also applies to hospitals considering allowing film crews on the premises.