The threats to health privacy in the face of the Ebola scare has not escaped the notice of the Office of Civil Rights (OCR).  As we reported last month, a great deal of information regarding the identity and condition of individuals who may have been exposed to or treated for Ebola has appeared in news reports. Ebola In The News – Is Too Much PHI Being Revealed And By Whom?  and Which Privacy Protections Apply? HIPAA, FERPA and Ebola.  On November 10, OCR issued a bulletin entitled HIPAA Privacy in Emergency Situations reminding covered entities and business associates that their obligations under HIPAA do not change during emergency situations such as the Ebola outbreak.

The bulletin notes that HIPAA balances the interests of patient privacy in a manner that ensures that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

Patient information can be shared for “treatment” purposes, and OCR notes  that “covered entities may disclose, without a patient’s authorization, protected health information [PHI] about the patient as necessary to treat the patient or to treat a different patient.” Further, treatment includes the coordination or management of health care, which may be critical when handling a communicable and dangerous infection such as Ebola.

OCR summarizes the disclosures which are permissible for public health purposes to agencies like the Centers for Disease Control and Prevention (CDC) or state or local health departments. “For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.”

Other situations where disclosure is permissible include:

  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority. (Highly relevant when coordinating information with government agencies in West Africa and other affected regions)
  • To persons at risk of contracting or spreading a disease or condition, but only if authorized under state or federal law.
  • To a patient’s family members, relatives, friends or others involved in the patient’s care.
  • When necessary to identify, locate, and communicate with family members, guardians, or anyone else responsible for the patient’s care, to notify them of the patient’s location, general condition, or death. OCR notes such disclosures may include police, the press, or the public at large. However, it is not a blanket authority to release PHI to the media unless there is a valid reason to do so. OCR also notes that verbal permission should be sought from the patient if possible.
  • To disaster relief organizations such s the Red Cross, but only for the coordination of contacting family members and others involved in the patient’s care.
  • To anyone else as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.
  • Limited “directory” condition information may be released when a patient is identified by name. OCR warns: In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

Health care providers and their business associates are now clearly on notice that OCR will not look the other way if information relating to individuals potentially exposed to Ebola or similar diseases is disclosed without meeting a valid exception, no matter how persistently media outlets press for details.  Each covered entity and business associate should take the time to remind their personnel that the privacy rule remains in effect in emergencies.