WILMINGTON — Because the main goal of federal, state, and country restrictions is to prevent Covid-19 cases from overwhelming hospitals, the number of patients compared to a hospital’s capacity is a key piece of data. So, some have asked: why hasn’t New Hanover Regional Medical Center released that information?
The answer is two-fold. First, it’s complicated. Second, NHRMC has released the information — sort of.
While NHRMC has stated it is releasing all permissible information to the public, other hospitals in the state — including Wake Forest Baptist — have offered more information directly, including about specific cases.
The question for some remains: if the balance between Covid-19 cases and hospital capacity is the fundamental issue of the epidemic, how can the public get a sense of how effective government restrictions and closures have been if hospital admission data remain confidential?
Yes and no
This week, NHRMC consented to allow New Hanover County Chairwoman Julia Oslon-Boseman to tell the public during her public remarks on Monday that the hospital had 13 cases, according to a county spokesperson. NHRMC confirmed that the county’s public health officials receive the confidential reports made to the state, and that those local officials had more discretion over what to release than NHRMC did.
It’s not clear from county emails if the Emergency Operations Center (EOC) is receiving regular updates on patients counts from NHRMC. It’s also not clear if NHRMC’s agreement was a one time deal, or if the county will provide future updates.
While NHRMC did allow Olson-Boseman to share the bare minimum of information — the number of patients — it appears they did not release other information, like if patients had pre-existing conditions, or if those patients required admission to the ICU or the use of a ventilator.
NHRMC does report hospitalization details to the North Carolina Department of Health and Human Services (NCDHHS), which publishes some of that data — including demographic data about age, race, and gender — online and updates it daily. However, those reports have actually been cited by NHRMC as a reason why the data cannot be released to the public, under a state statute that makes reports to state data processors protected and private.
While the state does publish county-by-county figures for total cases and deaths, it doesn’t localize information like hospitalizations or detail the strain on individual hospitals’ ventilator or ICU bed capacity.
Because the Covid-19 epidemic hasn’t hit all areas with uniform force, it’s not possible to extrapolate a picture of how stressed a given hospital is from state-level data.
One of the most commonly cited healthcare privacy laws is HIPAA ( Health Insurance Portability and Accountability Act), the federal law the protects individuals’ medical history.
HIPAA is referred to broadly — and sometimes inaccurately — and it’s worth noting that it does not protect what’s known as ‘de-personalized’ information. In other words, if an individual is taken to the hospital with a particular disease, the records of that visit are protected by HIPAA — but the total number of patients with that disease over a certain period of time is not covered by the federal law, according to the North Carolina Press Association.
However, according to Lynn Gordon, chief legal officer and general counsel for NHRMC, withholding Covid-19 patient data — even in the broad, de-identified sense — is more complicated than HIPAA alone.
“This is not as simple as reviewing the Federal HIPAA law, but rather understanding several implicated laws that intersect in this matter. And HIPAA compliance isn’t as simple as basic de-identification, by any means. Adhering to these laws, and having information flow through the appropriate channels, is critically important from both a public policy and patient records confidentiality perspective,” Gordon said.
Gordon noted that NHRMC’s legal team had enlisted outside help to review what information it could and could not release during the Covid-19 epidemic.
“We have completed a legal analysis with outside specialized health care legal counsel in this matter and, at this juncture, NHRMC is unable to disclose Covid-specific numbers and other protected data (under the body of law referenced below) directly to the public/media. Rather, we are complying with all public health reporting requirements, including specifically on the Covid-19 pandemic,” Gordon said.
Overlapping federal and state privacy laws
According to Gordon, the actual legal analysis of what is and isn’t confidential is itself a confidential document, protected by attorney-client privilege. However, Gordon did release an overview of the basic statutory tenets of NHRMC’s decision not to make the number of Covid-19 cases public.
The following bullet points were provided by Gordon:
- HIPAA — Federal law requires hospitals to take precautions not to reveal patient information, including non-specific patient information that could reasonably be used to identify a patient.
- NCGS 131E-214.3 (Patient Data Not Public Records) — This statute provides that patient data compiled or furnished a part of statewide data processing efforts is not considered to be a public record.
- NCGS 130A-143 (Confidentiality of Records) — This statute provides that all information and records, whether publicly or privately maintained, that identify a person…who has a [communicable disease] shall be strictly confidential, and may only be released upon explicitly defined circumstances.
- NCGS 131E-97 (Confidentiality of Patient Information) — This statute provides that medical records compiled by health care facilities in connection with the admission, treatment and discharge of individual patients are not public records as defined by Chapter 132.
The issue with HIPAA and some of the state statutes comes down to whether data — even stripped of names and specifics — could be used to identify a particular patient. NHRMC is understandably concerned with patient anonymity and privacy, but it’s not clear how, for example, releasing the daily total of Covid-19 cases would identify an individual patient.
Other statutes, specifically NCGS 131E-214.3, protect documents containing patient information and furnished to the state as part of data gathering. However, while those specific documents would remain confidential, individual data points included in those documents would not necessarily be made private if they were included in other reports (i.e. a daily log of reasons for admission, etc.)
It is worth noting that the North Carolina Court of Appeals has upheld that if federal law allows the release of data then state law requires it, a point frequently made by the North Carolina Press Association. The only federal law that NHRMC was able to point to was HIPAA, and only by NHRMC’s broad interpretation of the law, where NHRMC legal staff appeared to argue that the simple number of daily cases could somehow ‘reasonably’ be used to identify individual patients.
While Gordon and NHRMC didn’t address how, exactly, HIPAA applies in this case, the hospital did cite other concerns. According to Gordon, NHRMC’s decision wasn’t based solely on state and federal law, but also on the difficulty of acquiring accurate statistics in ‘real time.’
“Based, in part, on all of the statutes and laws referenced above, it is critical that NHRMC protect patient information, including in the form of facility-wide, de-identified statistics. This is further true in a situation like the current pandemic, where initial testing is often subject to further confirmation and subsequent testing, such that accurate statistics are often impractical to ascertain in ‘real time.’ We must let public health agencies do their work,” Gordon said.
Demographic detail vs. personal privacy
Why are the demographic details important?
For one example, many infectious disease statutes around the country were authored to protect privacy during the height of the AIDS crisis. Anything that could ‘out’ an AIDS patient was protected. But aggregate numbers like the number of cases, and generalized demographic information about gender, race, and age of AIDS patients wasn’t protected — in fact, it became an important part of public health efforts to dispel myths that it was a ‘gay-related immune deficiency’ (GRID, as it was initially termed).
Corollary efforts have been seen during the Covid-19 epidemic, as public officials have made efforts to note that the disease does not limit itself to a particular demographic and that younger individuals are not necessarily immune to the disease; the misconception that young people were effectively safe from the disease was cited as partially responsible for the apparently cavalier attitude of younger people who continued to congregate at festivals, beaches, and other public events despite increasing concerns over Covid-19.
It’s also become increasingly clear in hard-hit areas like Seattle and New York City that minorities have been disproportionately hit by Covid-19. While the data is still incomplete, it will ultimately be part of public health studies on healthcare equity in those areas.
While NCDHHS can provide demographics on a state-wide level, the local demographics are important, too.
In the case of NHRMC, that data could be an important part of evaluating the hospital’s admirable mission of promoting that kind of equity. It could also factor into exploring a potential sale or new partnership for NHRMC — a process that started up again this week.
Send comments and tips to Benjamin Schachtman at email@example.com, @pcdben on Twitter, and (910) 538-2001