The Health Information Portability and Accountability Act, or HIPAA as it is commonly called, was passed by Congress in 1996 with the goal of protecting personal information about consumer health records.
HIPAA is basically a privacy law designed to protect consumers from having their personal health information exploited by insurance companies, employers or anyone else.
While the law's original intent is laudable, it has created much additional paperwork for healthcare providers, who can face steep penalities for failure to comply with the statute. Anyone who has been to the doctor, been admitted or treated at a hospital, or picked up a prescription since the law went into effect in 2003, has either been given a copy of the privacy act or been questioned about their past receipt of a copy of HIPAA. To most of us, it seems to be just additional redtape we must wade through to attend to our medical needs.
But now, some local police and fire departments are misusing HIPAA as an excuse to not provide access to accident and fire reports to the local media.
In one instance, the offending fire department refused to produce a report from a house fire, using the excuse that the homeowner was injured in the blaze, and therefore release of the information would be a violation of HIPAA. The department refused to even release the address of the home involved and the name of the homeowner. What an unbelievable stretch of the law!
Just as HIPAA's purpose was to prevent confidential medical information from falling into the wrong hands, it now appears that the law itself is being illegally used by safety forces in an attempt to circumvent the public's right to know.
The Ohio Public Records Act clearly addresses HIPAA and states that "HIPAA does not apply" in cases where state law requires that the record be released.
HIPAA covers only "protected health information" or PHI. How could the name of a fire victim, his address, or even the name of the hospital to which he was sent for treatment be considered PHI?
The Open Records Act even addresses EMS run sheets. It states, "when a run sheet created and maintained by a county (public) emergency medical services (EMS) organization documents treatment of a living patient, the EMS organization may redact (edit or eliminate) information that pertains to the patient's medical history, diagnosis, prognosis, or medical condition. The organization may not redact patients' names, addresses and other non-medical personal information as part of the medical records exception."
HIPAA also states that its regulations apply only to three covered entities: healthcare providers, health plans (insurance or HMOs) or healthcare clearinghouses (such as billing services). Not to police, fire or any other public agency that is covered by the open records act. The Ohio Open Records Act states that legal counsel should be consulted if there is uncertainty about whether or not a particular public office is a "covered entity" for purposes of HIPAA.
We're not sure if local safety forces are misinformed about HIPAA, but we've encountered many cases where they are uninformed or misinformed about their requirements to comply with open records requests. We hope the offending agencies will study both regulations to be sure they are not breaking the law.
Being found in violation of the Open Records Act, just like HIPAA, can bring expensive consequences.