Balancing media disclosures and patient privacy

Healthcare organizations can fulfill their obligation to the public by providing information while remaining HIPAA compliant. This is achieved through an understanding of the limitation of patient information that may be shared and the implementation of effective policies to ensure staff maintain a standard of HIPAA compliance. 

Are practices ever compelled to share information with the media?

According to HHS guidance, “Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.”

Healthcare organizations are typically bound by privacy laws and regulations that restrict the sharing of patient information with the media. However, there are certain circumstances under which healthcare organizations may be compelled or permitted to share information, guided by specific legislation and regulations, these include:

1. HIPAA: Under HIPAA, disclosure of patient information without consent is generally prohibited, but there are exceptions for public health activities. This includes reporting disease outbreaks to public health authorities who may then disseminate necessary information to the public.
2. Public Health Service Act: This act allows for the reporting of communicable diseases to public health authorities, who can release information to the public for health and safety reasons.
3. Emergency Medical Treatment and Active Labor Act (EMTALA): In emergencies, this act requires healthcare facilities to provide a medical screening and necessary stabilizing treatment, which may involve reporting certain types of injuries or conditions to law enforcement or public health authorities.
4. State public health laws: Various states have their own public health laws requiring healthcare providers to report certain conditions (like infectious diseases, gunshot wounds, or indications of child abuse) to local or state health departments.
5. Freedom of Information Act (FOIA): While FOIA mainly applies to government records, it can impact healthcare organizations affiliated with or run by the government. However, FOIA includes exemptions for personal and medical privacy.
6. Children’s Online Privacy Protection Act (COPPA): In cases involving minors, COPPA might come into play, especially in the context of digital health records or online health services.
7. State mandatory reporting laws: Various states have laws requiring healthcare providers to report certain conditions or incidents, like infectious diseases, to relevant authorities.

A violation of patient privacy in media disclosures

A violation of patient privacy in the context of media disclosures occurs when identifiable health information is shared without the patient’s explicit consent or in a manner that exceeds the consent given. This includes releasing specific details about a patient’s diagnosis, treatment, prognosis, or personal data to the media or public without proper authorization.

See also: Can healthcare providers disclose PHI in the media?

Strategies to balance patient privacy and public communication

1. Consent management: Obtain explicit consent from patients or their legal representatives before releasing any health information. This consent should specify what information can be disclosed and to whom.
2. Training and education: Regularly train healthcare staff on privacy laws (like HIPAA in the U.S.), ethical considerations, and institutional policies related to patient confidentiality and media relations. This training should include scenarios and role-play exercises to prepare staff for real-world situations.
3. Designate a spokesperson: Appoint trained communication officers or spokespersons who are skilled in handling media inquiries. This ensures consistent and accurate information dissemination and reduces the risk of unauthorized staff sharing sensitive information.
4. Minimum necessary information: When disclosure is necessary and consented to, share only the minimum information required for the purpose. Avoid details that could lead to the identification of the patient if anonymity is requested or required.
5. Crisis communication plans: In high-profile cases or emergencies, have a crisis communication plan that outlines how to manage media inquiries and public statements while respecting patient privacy.
6. Patient education and communication: Inform patients about their rights regarding privacy and how their information can be used. Clear communication about these rights can empower patients to make informed decisions about their own information.

See also: HIPAA Compliant Email: The Definitive Guide

How should healthcare professionals handle inquiries from the media regarding a patient's health status?

There are general best practices that organizations can follow to handle requests made by the media to access patient health status in cases including accidents or serious criminal incidents. These include: 

1. Healthcare professionals should direct media inquiries about a patient's health status to authorized personnel, like a public relations officer or communications department.
2. Always adhere to the organization's privacy policies and legal regulations like HIPAA when responding to media inquiries.
3. Do not release any patient information to the media without explicit, documented consent from the patient or their legal representative.
4. If appropriate and necessary, provide general statements that do not disclose personal health information or breach confidentiality.
5. When speaking about general health topics, healthcare professionals should stay within their area of expertise and avoid speculation.
6. Avoid medical jargon and use clear, simple language to ensure the information is easily understandable.
7. Always prioritize and respect the privacy and wishes of the patient and their family in any communication with the media.

See also: What to know before disclosing PHI to the media

FAQs

Can providers obtain consent through email? 

Yes, healthcare providers can obtain consent through email, provided it meets legal standards for security and documentation.

What is a media disclosure? 

Media disclosure involves sharing information with the public through various forms of media, typically for publicity or informational purposes.

Does an NPP cover all forms of consent? 

No, a Notice of Privacy Practices (NPP) informs patients about their rights and privacy practices; it does not cover specific consents for treatment or disclosures that require separate authorization.