AAMC/UHC - Convergent Validity: A forum for AMC’s to Discuss HIPAA Implementation

Media Issues and Proposed Draft Policies

1. How do we handle requirements for "narrative journalism" where health professions students writes a narrative regarding a patient that will later be used for external relations purposes?
2. How does the news office pitch a patient or service-related story?
3. How does IA respond to a reporter's request for a story?
4. How does IA create a database for future stories and communications? When the media calls and wants a condition report on a patient, what can we say?
5. During a major disaster, what information can we give to family members calling for information? The Media? To public entities (police, fire, etc.)
6. How does the news office pitch a patient or service-related story?
7. How does the news office respond to a reporter's request for a story?
8. What does the news office do about professionals on contract?
9. Does HIPAA require us to sign business associate or confidentiality agreements with reporters and other media representatives?

   
   Draft Policy # 1: If News Office/external relations staff want to contact a patient regarding the use of their PHI for a media or other external communication, the patient's health care provider or provider team must make the initial contact with the patient and seek the patient's agreement for contact by IA staff. Prior to any disclosure to outside entities or contact of the patient by outside entities, the patient must sign a HIPAA Authorization form. The University must retain a copy of the signed authorization

   Draft Policy #2: For the purpose of developing an IA database for future media or IA stories, a signed authorization must be obtained from the patient. The University may seek written authorization from the patient at the time of admission or discharge.

   Draft Policy #3: If the patient is in the facility directory and the reporter asks the CE for the individual by name, the CE can answer only that the individual is in the facility and the person's condition. The CE is not allowed to search for an individual that matches a description or incident-e.g., "Can you tell us who was brought in as a shot gun victim at 2:00 a.m. Saturday night?

   If the individual is a celebrity or some other individual that has not yet received the Notice or been given an opportunity to opt out of the Facility Directory (e.g., due to an emergency situation), the CE is expected to use its best judgment regarding whether or not the individual would have opted out of the facility directory if she/he were given the choice. In those cases, no information should be provided to the media or any other caller.

   
   Draft Policy #4: HIPAA does not grandfather-in existing data bases unless the covered entity has obtained the required legal permissions that would permit databases to continue to operate after April 2003. For News or External Relations purposes, databases that contain disease or diagnosis specific information should be updated with the patient's authorization. IA should consult with either the Privacy Officer (campus or system) or the Office of the General Counsel regarding existing databases, information contained and purposes for which it will be used and by whom in order to determine if additional legal permissions are necessary.