HIPAA or not, I assume the hospital wouldn’t tell a private citizen anything concerning anyone else, just on general principles. There’s no FOIA or something like that to force them to.
But they don't have to disclose identifying information to say, "yeah, we've had more XYZ cases," or some other statistic. I'm not saying she should have to contact the hospital to exercise her right to free speech. I'm just saying that HIPAA doesn't mean healthcare institutions are a black box. I find that idea strange because I can immediately see how to ask questions to work around it while still protecting individuals.
> “…HIPAA doesn’t mean healthcare institutions are a black box.”
Ok, but it’s a sure-fire way to not answer any question you don’t like or if you are unsure of the person making the request—from the receptionist to the hospital administrator. A convenient “fig leaf” if you will.
In a more charitable view—if a hospital admin did disclose something they shouldn’t the consequences are legal. E.G. the context for answering has to be legal, or someone trained to answer your specific questions. Now, try to find that person and get an answer—crickets.