HIPAA and Ebola: What are Appropriate Disclosures?

by Bevon Findley (SU)

With the uproar and fear of the Ebola virus on U.S. soil somewhat subsiding, it has been an interesting couple of months in terms of how much protected health information regarding infectious patients was made public. Has the information released about patient conditions constituted a violation of the HIPAA Privacy Rule? Does the general public have a right to know about individuals with highly infectious conditions or symptoms?

These are valid questions in determining the legal balance of what can and cannot be disclosed about a patient’s medical condition. The answers to these pressing questions are contained in the HIPAA Privacy Rule, a rule that most Americans, besides those involved in the healthcare sector, are not clear on. When we visit a healthcare practice and sign that office’s HIPAA release and privacy notification, most of us do not know what is covered and what our rights are.

The U.S. Department of Health and Human Services (HHS) has the regulatory responsibility to administer the HIPAA Privacy Rule. The rule states there are national standards to protect individuals’ medical records and other personal health information. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made without patient authorization.

So in circumstances like the Ebola scare, when can disclosures be made without patient authorization? In a recent bulletin released by HHS regarding HIPAA privacy in emergency situations, sharing patient information without a patient’s authorization is legal if there is a legitimate need for public health authorities to have this information to carry out their mission. It allows for the disclosure of protected health information without individual authorization for the purposes of notifying a public health authority like the Centers for Disease Control and Prevention (CDC) or state or local health departments.

The rule allows the disclosure to persons at risk of contracting or spreading a disease or other conditions in order to prevent or control the spread of the disease or to carry out public health interventions or investigations. This type of activity in the Ebola crisis is called “contact tracing,” where the CDC and local health departments trace who infected individuals may have come into contact with. Those individuals contacted were told about the medical condition of the infected patients.

Where the politics of these specific types of disclosures get somewhat murky is in determining if there is truly an imminent danger to the public. As we saw unfold over the last month or so, there were different interruptions of the rule from high level federal, state and local government officials. What the regulation states is, “Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.” It was clear there was a great deal of confusion on what “imminent danger” to the public really meant.

From another perspective, the media seemed to have a plethora of information regarding the patients, including their names, their conditions and their treatments. Did all these media outlets and reporters violate the HIPAA Privacy Rule and patient rights? Based on the regulations, probably not.

The section of the HIPAA Privacy Rule that focuses on disclosures to the media indicates healthcare facilities may release limited patient information if a request is made. The rule stipulates “limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.”

Regarding media disclosure, another part of the rule says, “In general, except in the limited circumstances, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).”

So you are thinking after reading the last two paragraphs, isn’t this contradictory? This is where the limited circumstances regarding public health and imminent danger come into play. If the public has a right to know, healthcare providers may release limited information, and the media may inform us. In most cases, patients must give consent. In all of these situations, it may be considered appropriate disclosure under the HIPAA Privacy Rule.