The names and photos of the late Thomas Eric Duncan and his former nurse Nina Pham are all over news media reports of the first cases of Ebola in the United States.   But just how did news outlets learn their identities?   Or, as my assistant asked me this morning, “isn’t this a HIPAA violation?” as many of the facts would appear to qualify as protected health information (PHI).

Thomas Eric Duncan – Source:                 Nina Pham, R.N. – Source: ABC News

Mr. Duncan’s name hit the news shortly after he was diagnosed with Ebola at Texas Health Presbyterian on September 20, 2014, upon his second visit to that hospital after arriving in Dallas from Liberia where he had been exposed to a neighbor who later died from the deadly virus.   After he succumbed to the disease on October 8, the details of his illness and treatment began to flow.   A recent Associated Press story  describes his care day-by-day.  It states that Duncan’s nephew, Josephus Weeks, talked to them and indicates that “Hundreds of pages of medical records provided to The Associated Press chart the disease’s relentless march through Duncan’s body and provide an unprecedented look at how Ebola killed despite the aggressive efforts doctors made to save him.”  His mother, Nowai Korkoyah, is also quoted in the article.

One of the critical care nurses who had treated Duncan at Texas Health Presbyterian Hospital, Nina Pham, has now tested positively for the disease and is being treated in isolation.  Pham was reportedly identified by family members who confirmed her name to ABC News affiliate WFAA.  Her family also reportedly confirmed her identity to USA Today.

Pham’s pastor reportedly disclosed to WFAA that she received a blood transfusion on October 14.  The story identifies the donor, Dr. Kent Brantly, and the fact that he was himself an Ebola survivor and attributes that information to “sources close to Brantly.”

Ebola is a devastating communicable disease about which the general public needs education and guidance, but the HIPAA rule does not provide exceptions for newsworthy or unusually terrifying medical conditions.  There are exceptions relating to public health and safety, but they generally do not permit covered entities or their business associates to release PHI to the media or general public.  Also, keep in mind that HIPAA applies only to covered entities and business associates, and does not restrict what information patients, or their family members, clergy, friends or neighbors, may legally disclose.   (However, there is a need to be aware that state privacy or defamation statutes and case law may limit what family members, clergy, friends or neighbors may legally disclose.)

Duncan’s relatives would have had access to his medical records after his death only to the extent they were involved in his care or if they were his “personal representatives,” or during his life if he released his records to them.   HIPAA Regulation section 164.502(g)(4) states  “If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.”   Not all relatives can compel the release of a decedent’s medical records, but anyone who obtains such records, for instance from another relative who is the executor or administrator of the estate, is not prohibited by HIPAA from sharing them with the media.

What about public safety?  Some commenters have suggested that in the case of serious public threats, “HIPAA be damned.”    The HIPAA rule at 45 CFR § 164.512(b) does include an exception for uses and disclosures for public health activities, but that exception is limited.   A covered entity may use or disclose PHI to a public health authority (such as the Centers for Disease Control (CDC)) that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, and the conduct of public health surveillance, public health investigations, and public health interventions.  The CDC has issued valuable guidance on the effect of HIPAA on its mission.

PHI may also be disclosed to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.  That exception could authorize, for example, direct communication with the families and close associates of Mr. Duncan and Ms. Pham, but not to media outlets.

How did Ms. Pham’s identity emerge?  One web site, explained in an Exclusive & Breaking report “After learning the address of the unnamed Ebola patient, editor-in-chief Charles C. Johnson and researcher Shannon Knutsen cross referenced the address with a list of every known occupant.” This begs the question of how they learned her address.   Yahoo news claimed they identified Pham through ”public records and a state nursing database.”  Sounds like impressive detective work, but what additional data did they rely on to narrow down their search, and from what sources?   Resourceful journalists will follow leads, rumors and word-or-mouth reports, but if the sources were hospital personnel who revealed sufficient information about these patients to allow their identification when cross-referenced with public sources, they likely  crossed the line even if they did not reveal patient names, particularly if the leakers had knowledge that the information could be combined with other information to identify the individual.

Individuals are certainly free to share their own stories any way they like.  For example, Dr. Brantly authored a first-person piece entitled  This Is What It Feels like To Survive Ebola in Time magazine.   Nina Pham issued a statement through the hospital, assuring supporters “I’m doing well and want to thank everyone for their kind wishes and prayers.”

This isn’t the first time Ebola has raised HIPAA compliance issues. Two Nebraska Medical Center employees were fired for improperly accessing records of a patient being treated for Ebola in September.  (Ironically, these reports also reveal the name of the patient, an American doctor who contracted the virus in West Africa.)  Accordingly, covered entities and business associates should remind all personnel that the rules don’t change because of controversial, highly dangerous diseases.   We will continue to monitor developments in this rapidly evolving story.