HIPAA overused to hide key COVID-19 data, Iowa journalism group claims

The head of The Iowa Freedom of Information Council says patient privacy laws are being cited too broadly for reasons not to give out data on COVID-19 outbreaks.

Executive Director Randy Evans says several journalists have reached out over denied requests for data on the number of COVID-19 tests performed in a county or hospitalization rates. In most cases, state and county officials cite the federal HIPAA law as why.

HIPAA stands for Health Insurance Portability and Accountability Act. It specifically prevents health care providers from giving out information on a specific patient. It does not prevent government agencies, hospitals or businesses from giving out statistical data about an illness, such as the number of cases in a hospital or workplace.

"That's why you see hospitals publish reports about the number of babies born each year," Evans said.

"The public is scared, is worried," Evans added. "They are concerned about local hospitals filling up, whether there will be space available if a friend or relative comes down with the disease, whether there will be enough ventilators available in a specific location. These concerns are aggravated by a lack of information and at a time like this, I think the government ought to be coming forward with more information, not less."

However, county and state health officials have cited HIPAA in denying requests for county-specific hospitalization rates for COVID-19 patients or to confirm whether a COVID-19 case was confirmed in a specific workplace.

Health officials have cited guidance that confirming or releasing broad information about a small subset of people could lead to indirect identification of an individual as reasons for not releasing some data and information.