What to know before disclosing PHI to the media

As healthcare professionals and organizations navigate the balance between transparency and privacy, one aspect that demands careful consideration is the disclosure of protected health information (PHI) to the media. HIPAA regulates the use and disclosure of PHI, and healthcare organizations must comply with its standards when disclosing PHI to the media. 

HIPAA and PHI

HIPAA sets the standards for protecting PHI. This includes individually identifiable health information held or transmitted by covered entities, such as healthcare providers, health plans, and healthcare clearinghouses. PHI comprises various elements, from medical history and treatment details to payment information and personal identifiers.

The primary goal of HIPAA is to ensure the confidentiality, integrity, and availability of PHI while allowing for the necessary and appropriate use and disclosure of information in the provision of healthcare services.

Related: What is protected health information (PHI)?

HIPAA rules for disclosing PHI to the media

Under HIPAA, the disclosure of PHI to the media is generally prohibited unless specific conditions are met. 

A patient's signed authorization is often required before sharing PHI with journalists or media representatives. This authorization must be explicit and written and contain the elements specified in HIPAA regulations.

Additionally, the "minimum necessary rule" is a principle that requires covered entities to share only the minimum amount of PHI necessary to accomplish the intended purpose. This ensures that patient privacy is preserved and minimizes the risk of unnecessary or inappropriate disclosures.

Related: What is the minimum necessary standard?

Exceptions and permissible disclosures

Despite the general rule requiring patient authorization, there are exceptions and situations where covered entities may disclose PHI to the media without explicit consent. 

1. Media directory exception: Covered entities may disclose limited directory information about a patient if the patient hasn't objected and the media representative specifically requests the patient by name. This information is typically limited to the patient's name, location, and general condition (e.g., stable, critical).
2. Public interest and public health situations: In cases of public health emergencies, infectious disease outbreaks, or other events of public interest, covered entities may be allowed to disclose PHI to the media to inform the public, raise awareness, and provide health-related guidance. However, the information disclosed must be limited to what is necessary to address the public health concern.

HIPAA compliant practices for disclosing PHI to the media

1. Secure patient authorization: Obtain explicit, written authorization from patients before sharing their PHI with the media. Ensure that the authorization clearly states the purpose of the disclosure and the information to be shared.
2. Follow the minimum necessary rule: Share only the minimum amount of PHI required for the media's specific purpose. Review and redact any nonessential information to protect patient privacy.
3. Train staff on HIPAA compliance: Educate all staff members about the importance of patient privacy, HIPAA regulations, and the proper handling of media inquiries. Ensure employees understand their responsibilities and the potential consequences of improper PHI disclosures.
4. Seek legal and compliance guidance: Consult legal counsel or HIPAA compliance officers when dealing with complex media requests involving PHI. Professional guidance can help navigate intricate situations and ensure all actions align with legal and ethical standards.
5. Establish media response protocols: Develop clear protocols for responding to media inquiries regarding patient information. Designate a specific spokesperson or team to handle media communications and make sure they are well-versed in HIPAA compliance.
6. Secure transmission and storage: Even with patient authorization, responding to a media inquiry with PHI must still be done securely, for example, via HIPAA compliant email. Any PHI shared must also be stored according to HIPAA regulations too.