HIPAA Quick Reference Guide for Media
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
mandated regulations that establish standards to protect the privacy of
each person's individually identifiable health information. All hospitals
must comply with these privacy standards - and the rules regarding the
way hospitals may use or disclose Protected Health Information (PHI).
As providers of information, Baton Rouge General is obligated to ensure
that the facts, they are authorized to release, are as accurate as possible.
The hospital's first responsibility is to protect the confidentiality,
health and legal rights of each patient. To ensure that reporters receive
timely and accurate information, please contact the General's Media
Relations staff. Media should not contact Baton Rouge General patients directly.
The Hospital Directory
Under the Privacy Rule, a hospital must provide each of its patients with
a Notice of Privacy Practices that, among other things, describes the
uses and disclosures that the hospital may make of patients' PHI,
including uses and disclosures in its Hospital Directory of patients.
HIPAA privacy regulations restrict the information health care providers
may include in a patient directory and release to the public, including
Disclosure of Directory Information
The Notice of Privacy Practices requires hospitals to inform the patient
of the persons to whom the hospital may disclose the PHI that is included
in the Hospital Directory:
- The hospital may disclose the patient's name, location in the hospital,
and general condition, only if the inquiry specifically identifies the
patient by name. No information may be given if a request does not include
a specific patient's name or if the patient requests that the information
not be released. This includes inquiries from the press.
- As long as the patient has not requested that information be withheld,
hospitals may release the patient's one-word condition and location
to individuals who inquire about the patient by name.
Definitions of Patient Conditions
Under the Privacy Rule, the Hospital Directory may include a one-word,
general description of the patient's condition that does not communicate
specific medical information about the individual. These one-word descriptions
should be disclosed only if 1) the patient has not opted out of the Hospital
Directory, and 2) the person inquiring about the patient asks about the
patient by name. The following terms are recommended by the American Hospital
Association's Society for Healthcare Strategy and Market Development:
- Undetermined - Patient awaiting physician assessment.
- Good - Vital signs are stable and within normal limits. Patient is conscious
and comfortable. Indicators are excellent.
- Fair - Vital signs are stable and within normal limits. Patient is conscious,
but may be uncomfortable. Indicators are favorable.
- Serious - Vital signs may be unstable and not within normal limits. Patient
is acutely ill. Indicators are questionable.
- Critical - Vital signs are unstable and not within normal limits. Patient
may be unconscious. Indicators are unfavorable.
Option to "Opt Out" of the Directory
The hospital must give the patient the opportunity to restrict or prohibit
some or all of these permitted disclosures of the PHI that is to be included
in the Hospital Directory, including restricting the use or disclosure
of one or more categories of PHI (e.g., a patient could opt to have his
or her name and location, but not his or her condition, included in the
Patients Who Are Unable to Consent to Inclusion in the Hospital Directory
If a patient is unconscious or otherwise incapacitated when he or she is
brought to the hospital and cannot agree or object to his or her inclusion
in the Hospital Directory, the hospital may use and disclose the Hospital
Directory Information to people who ask about the individual by name if
such disclosure is consistent with any known preference of the patient
(e.g., if the patient expressed a preference when he or she was a patient
at the hospital in the past) and if the hospital believes that such disclosure
is in the patient's "best interest." The hospital must notify
the patient of his/her right to agree or object to inclusion in the Hospital
Directory as soon as the patient is conscious and able to make that decision.
Beyond the One-Word Condition: Media Access to Patients
Media representatives and photographers should contact the hospital's
designated spokesperson for assistance in obtaining interviews and/or
photographs of patients, employees and areas of the hospital. Hospital
policies usually require that a hospital representative accompany news
personnel any time they are on hospital grounds. No photographs, audio/visual
recordings or interviews of patients may be taken within the facility
or on hospital property without the patient's prior written consent,
or the written permission of a parent or legal representative. Even with
permission, news media representatives should use good judgement when
airing images or printing photographs of patients who are ill or injured.
Deceased or unconscious patients should NEVER be photographed under any
circumstance, regardless of whether they are in the hospital or on hospital property.
The following activities require a written and signed authorization that
meets all HIPAA privacy standard requirements from the patient:
- Releasing a detailed statement (includes anything other than a one-word
condition); the patient or his/her legal representative must sign the
written authorization approving any detailed statement;
- Taking photographs (either video or stills) of the patient; and
- Media interviews with patients.
Matters of Public Record
Matters of public record refer to situations that are reportable by law
to public authorities, such as law enforcement agencies, the coroner or
public health officer. Patients who are involved in public record situations
have the same privacy rights as all other patients. Inquiries should be
directed to the appropriate public authority. The public authority will
be guided by the applicable federal or state statutes as to whether or
not it can release information. Celebrity and public figures are not subject
to different standards than other patients when it comes to hospital policies
for releasing information to the media.
Requests for Extensive Patient Information
If a member of the press is seeking information about a patient's condition
and/or treatment at the hospital that goes beyond the basic information
that is provided in the Hospital Directory (e.g., a detailed statement
about the patient's condition, a photograph of the patient, or an
interview with the patient), the hospital public relations department
must obtain written authorization from the patient to use and disclose
that PHI. This authorization must describe in detail how the information
will be used and to whom this information will be disclosed, and must
establish a specific point in time (a date or an event related to the
patient or the purpose of the use or disclosure) at which the authorization
will terminate and the use and/or disclosure of PHI will no longer be
Written Policies and Procedures
The Privacy Rule specifically requires that each hospital adopt and implement
written policies and procedures that are designed to ensure its compliance
with the Privacy Rule. Hospital public relations staff should understand
these policies and procedures, and should ensure that the hospital's
Administrative Policies and Procedures reflect any protocols that have
been changed to comply with the Privacy Rule.
Penalties for Wrongful Disclosure
Hospitals can face serious penalties for disclosing PHI about their patients
without proper permission. The U.S. Department of Health and Human Services
views wrongful disclosure of PHI as a violation of civil rights and has
delegated the civil enforcement responsibilities for the Privacy Rule
to its Office for Civil Rights (OCR). OCR will monitor compliance with,
and enforce civil penalties for violations of the standards set forth
in, the Privacy Rule. OCR will refer criminal violations to the U.S. Department
of Justice. The criminal penalties for wrongful disclosure of PHI fall
into three categories:
Up to $50,000
Up to 1 year
Up to $100,000
Up to 5 years
Intent to Sell, Transfer or Use for
Commercial Advantage, Personal Gain
or Malicious Harm
Up to $250,000
Up to 10 years
A reporter who obtains PHI in violation of the Privacy Rule under "false
pretenses" (for example, where the reporter does not identify him/herself
as a member of the press) could be subject to a criminal penalty under
HIPAA of up to five years in prison and/or a $100,000 fine. In addition,
members of the press could be subject to common law tort liability for
breach of privacy by writing, producing, and publishing a story that uses
PHI disclosed to them in violation of the Privacy Rule.
Hospitals and news media rely on each other to provide the public with
important, timely and accurate health care information. At Baton Rouge
General, we understand this and want to work with you to keep our community
well informed while protecting the rights of all of our patients and their
families. We encourage you to contact us at any time, day or night, if
you have questions or need assistance.
Louisiana Legislative Auditor (LLA) Hotline