Critical information about coronavirus pandemic is kept secret in California. Here’s why
In Siskiyou County, a sprawling 6,347-square-mile region along the Oregon border, local officials have refused to say in which communities the handful of people infected with the coronavirus are living. They say the “privacy of the patients is of utmost priority.”
The county’s top health official thinks people are better off assuming the whole county of about 44,000 people is infected. Because testing for the coronavirus has been so limited, “he wants anyone to assume you can catch it from any town,” said Brooklyn Tupman, a spokeswoman for the county.
Siskiyou County is not unique in citing “patient privacy” to withhold information that could give the public and policymakers a sense of where COVID-19 is hitting the hardest.
Hospital officials across the state, including those in Sacramento, are refusing to say how many patients and hospital staff have tested positive for the new coronavirus, citing the same patient privacy concerns. Even the raw numbers are considered confidential.
Likewise, the California Department of Social Services on Friday cited “confidentiality” in explaining why it would not immediately release details about senior-living centers known to have confirmed COVID-19 cases.
A spokeswoman for the state’s county jail oversight board cited federal privacy law as part of the reason why the agency had no plans to collect and publish data about the number of sick inmates and staff in local facilities.
The regulation most often cited to prevent the release of information is HIPAA, a federal law intended to protect patients in health care settings from having potentially embarrassing medical records released without their consent.
But in each of these cases, the law doesn’t apply, experts say, because there’s no realistic way for the public to glean individual patient information from the release of raw numbers for hundreds, if not thousands, of residents, employees and patients.
Reporters and the public have been clamoring for health care data in recent months — to discover where it’s spreading, who’s getting sick, where to deploy medical personnel, and whether stay-at-home orders are working. But many agencies have been using the crisis as a pretext to withhold medical data from the public, interviews and documents show.
Stretching the meaning of “patient privacy” to limit information is just one of several longstanding problems with HIPAA — at a time when the public needs accurate, timely information to plan responses in the pandemic, said Art Caplan, director of the medical ethics program at New York University’s Langone Medical Center.
“I’ve been bitching about this in terms of pandemic preparedness and the need to move information around more rapidly,” Caplan said, “so that you can track outbreaks so you know where you want to deploy resources and try to figure out if your first responders are adequately staffed.”
Health information shrouded in secrecy
The federal government has taken some steps to ease HIPAA restrictions in the current pandemic. The Department of Health and Human Services Office of Civil Rights said it would allow “the good faith uses and disclosures of protected health information” among federal agencies, including the U.S. Centers for Disease Control and Prevention.
But at the state level and elsewhere, data secrecy has stymied efforts to uncover detailed information about the spread of the disease. In Florida, Gov. Ron DeSantis refused to name nursing homes where patients tested positive, citing patient confidentiality. In Iowa, health officials in several counties refused to say how many people had taken COVID-19 tests, citing HIPAA.
Health care experts say communities and researchers need to know where the disease is spreading to track surges in the most at-risk groups, such as at nursing homes and in other at-risk communities. HIPAA, they say, also hinders community-wide disease surveillance and, with it, targeted quarantines that would be necessary to “flatten the curve” and slow the spread of the disease.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, a federal law signed by President Bill Clinton that protects patient confidentiality in medical settings, a particular concern as more and more medical records are kept electronically. Hospitals, insurers and health care providers face fines and lawsuits if they intentionally or accidentally release patient medical files.
Critics of the law say HIPAA has been used to shroud American health care in secrecy over the past 25 years and makes it difficult to conduct independent health care research. The law’s privacy rules also have shielded public access to health care billing and medical trends, preventing independent scrutiny that could expose medical price gouging, unscrupulous doctors and unsafe conditions at hospitals and clinics.
Others say the law has been used to punish health care workers who speak out about problems in their medical centers.
“It has been a gag on us. We’re unable to innovate. We’re unable to speak out,” Dr. Zubin Damania, a Las Vegas physician, comedian and internet personality, wrote in Medpage Today last week, in response to doctors being fired for speaking out about the lack of protective equipment in their facilities. “HIPAA should be a choice for the patient. They control their privacy, not you.
“How many times have we heard HIPAA being used as a sword against clinicians who need to speak out? ‘Well, we’re worried about patient privacy.’ No, you’re not. You’re worried about someone figuring out how much you make and how little you do to actually help patient care.”
Caplan, the New York medical ethics expert, said there are likely other motives at play for why medical and county officials might refuse to release COVID-19 case information. Hospitals are worried about losing money or scaring away people from seeking care at their facilities if they announce they have more COVID-19 cases than a competing medical center in the same community, he said.
Rural county health officers may also not want to scare people from doing business in certain towns if one community has more infections than another, he said.
“I can imagine a lot of reasons,” Caplan said, “but on that list, HIPAA is not one of them.”
He is part of a growing chorus calling for reforming the law. While there should be rules that keep identifiable patient information from being disclosed, data breaches and other gaps have all-but-rendered the law useless, Caplan said. Instead, the well-intentioned law has become a convenient way to keep information under wraps indefinitely.
“We’ve learned something else since HIPAA was passed: it’s a brutal failure because no one really thinks it protects privacy in any really serious way,” Caplan said. “It’s not working.”
‘Respect for patient privacy’
Hospitals last month repeatedly cited patient confidentiality to prevent the release of information about infections among their employees.
After the CEO of UC Davis Health alerted staff members that coworkers were getting sick at the UC Davis Medical Center in Sacramento, The Bee attempted to find out how many employees and patients there and across the region had tested positive for COVID-19.
As has been the case elsewhere in the U.S., the paper’s request for COVID-19 information hit a wall.
“State and federal privacy laws prohibit UC Davis Health from disclosing patient-identifiable information to the media,” hospital spokesman Edwin Garcia said in an email. “Similarly, to protect the privacy of our employees, we do not release health information or this kind of employment-related information about our workforce.”
The response was similar when The Bee asked whether Kaiser Permanente’s “advice nurse” call center on Arden Way in Sacramento had any COVID-19 cases.
“Out of respect for Public Health oversight, and respect for patient privacy, we do not provide information about suspected or confirmed COVID-19 cases,” the hospital chain wrote in an email.
Meanwhile, several health care workers who work in California hospitals have voiced concern that hospital managers are threatening to fire them if they try to do their own research — even for looking up the number of cases inside other medical centers within their hospital chains.
California’s county governments have continually cited the same confidentiality line in denying or limiting what information is released, saying providing too much information could identify patients, stigmatize certain communities where outbreaks are happening, and lull communities where no positive cases have occurred into a false sense of security.
When the first case of the new coronavirus was confirmed in Yolo County, county public health officer Dr. Ron Chapman said he couldn’t disclose at which hospital the patient was treated, or whether the patient had arrived by ambulance.
“I can’t share with you, again for privacy reasons, all the details,” Chapman said.
Asked when the woman first arrived at the hospital, he told reporters at a March 6 press conference, “Can’t share that information.” As to where the woman is from? “Again, for privacy reasons, I can’t share that information,” he said.
Yolo County began publicly releasing additional information about COVID-19 patients earlier this month, including where cases originated. On Monday, the county announced its first coronavirus outbreak linked to a nursing facility, which now accounts for about one-third of the county’s confirmed cases. Public health officials declined to say what nursing home it was, citing patient privacy.
The lack of specific information from local health departments has frustrated some government officials.
Last month, Rey Leon, the mayor of Huron, a small town in western Fresno County, got word that someone infected with COVID-19 may have attended a wedding in his community. But the county’s health department has refused to tell him if that was the case.
Leon said he found out through others in the city and believes the wedding party included over a dozen people.
In an email to The Fresno Bee, Fresno County Health Department spokeswoman Michelle Rivera said the department “does not share confidential information such as a person’s place of residence or employment, etc. due to HIPAA.”
If county officials believed the public was exposed in a “high risk” event, officials would reach out to the media to spread the word on who may have been exposed and where, she said.
Following the report of the wedding party, the Fresno County Health Department finally released a breakdown of COVID-19 cases by each community. Huron has five confirmed cases as of Monday.
Leon said he thinks there was “enough advocacy” among small city mayors in the county for the health department to give a case breakdown to give residents more information.
The report of the wedding party sent residents panicking, he said. Some directed their anger and confusion at him.
Leon said he was accused of inciting panic himself, but he insists he decided to make a public statement about the party to inform residents of the potential risk sooner rather than later. He said “everybody knows everybody” in Huron.
“I moved with the intent of being safe and not sorry. I would do it all over again,” Leon said. He added, “It’s the mayor that always gets the blame.”
The neighboring city of Coalinga reported Monday on Facebook that health officials told city leaders they’d stopped notifying cities about COVID-19 specific patient numbers because “many communities are getting too comfortable in the idea that they have no confirmed cases and then not taking the guidelines seriously.”
Privacy reforms needed?
A pandemic is not the time to withhold information from the public, said David Snyder, executive director of the First Amendment Coalition. The public benefits when more information can be shared, giving people the context they need to make informed decisions.
“It’s more crucial now more than ever for public health authorities and for the general public to understand in as much detail as possible how the virus is preceding and who’s being infected and where,” Snyder said.
Experts say even if the law isn’t being cited incorrectly, America’s iron-clad patient privacy protections under HIPAA also will hinder the sorts of widespread “contact tracing” that has allowed South Korea, Singapore and Hong Kong to aggressively “flatten the curve” and limit the number of infected patients as American cases exploded.
South Korea, for instance, used cell phone data, surveillance cameras, and credit card transaction records to map and contain the disease among individual patients and those with whom they came into contact.
In an interview with NPR Thursday, Robert Redfield, the director of the Centers for Disease Control and Prevention, said to restore American life back to normal, the country would need to not only ramp up testing, but also be “very aggressive” in contact tracing.
Patient privacy protections are going to make that sort of aggressive community detective work that much harder, experts say.
It’s also hindering researchers’ ability to study the disease. Without widespread sharing of patient information, epidemiologists are forced to rely on news accounts and from data collected outside the US where details about patients were more widely shared.
America’s patient privacy laws serve patients well during normal times, but the barriers they create during a crisis shows why they need to be waived temporarily and then reformed when the crisis is over, said Dr. John Swartzberg, a professor emeritus at UC Berkeley School of Public Health.
“We have to say, ‘Absolutely as soon as this is over, we have to go back to making sure patients have privacy.’ Could (the law) be tuned up? Of course, HIPAA drives everyone crazy sometimes,” Swartzberg said.
“But now’s not the time to be arguing over those details. Now’s the time to say, ‘Let’s loosen (the law) so we can preserve life,’ and then, when we go back to where we were before, at that time, we can evaluate what’s good about HIPAA and what maybe we don’t need.”
This story was originally published April 14, 2020 at 5:00 AM with the headline "Critical information about coronavirus pandemic is kept secret in California. Here’s why."