Feds Issue Ebola Privacy GuidanceBulletin Provides Reminders for How HIPAA Applies
Federal regulators have issued a special bulletin to remind covered entities and business associates about how the HIPAA Privacy Rule governs the sharing of patient information in emergency situations, such as Ebola cases.
The Department of Health and Human Services' Office for Civil Rights issued the new guidance in response to questions the HIPAA enforcement agency has been receiving, an OCR spokeswoman tells Information Security Media Group.
"HHS OCR has received enough queries during the Ebola outbreak to release a bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency," she says.
OCR issued similar emergency guidance during Hurricane Katrina, she noted.
The HIPAA Privacy Rule protects the privacy of patients' health information "but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation's public health, and for other critical purposes," OCR says in a statement announcing the new Ebola-related guidance.
HIPAA in Emergencies
The new guidance offers a reminder to organizations that under the HIPAA Privacy Rule, patient data can be shared for a number of purposes, including treatment and public health activities, without the patient's authorization.
For instance, "A covered entity may disclose to the Centers for Disease Control and Prevention protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease," the guidance points out. The rule also permits the covered entity to notify individuals at risk of contracting or spreading a disease or condition in order to prevent the spread of the illness or to carry out public health interventions or investigations.
Additionally, the HIPAA Privacy Rule allows disclosures to the patient's family, friends and others involved in an individual's care.
HIPAA also allows the sharing of patient information in situations of "imminent danger," the guidance notes. "Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public - consistent with applicable law - such as state statutes, regulations, or case law - and the provider's standards of ethical conduct."
The bulletin also notes that under HIPAA, limited disclosures are permitted to "media or others not involved in the care of the patient or for notification. Upon request for information about a particular patient by name, a hospital or other healthcare facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient's condition in general terms - for example, critical or stable, deceased, or treated and released."
The OCR guidance also states that "a business associate of a covered entity, including a business associate that is a subcontractor, may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement."
Privacy experts applauded OCR's decision to issue the HIPAA guidance in light of concerns over Ebola cases.
"Given all the misinformation that has been and is being published and televised, often by folks who know ... literally nothing about HIPAA and what it actually allows and disallows, it is a good idea for the OCR to issue such a statement to help ensure accurate understanding of HIPAA and patient information legal protections," says privacy expert Rebecca Herold, owner of the consulting firm Rebecca Herold & Associates. "I've seen too many pundits ... spreading ridiculous claims about how people's health information can and cannot be used," she says. "It is always good to publish reminders, but certainly publishing reminders during a time of international concern about a health emergency should be something OCR does whenever such situations occur. "
Privacy attorney Adam Greene, a partner at law firm Davis Wright Tremaine, says the new guidance is timely.
"When hospitals prepare for the possibility of treating an Ebola patient, they should consider training staff on protecting the privacy of Ebola patients and navigating the potential media spotlight," he says. "OCR's guidance is a helpful reminder that healthcare providers have very limited ability to speak to the press about patients."
Privacy attorney Brad Rostolsky, a partner at the law firm Reed Smith, said in a recent interview the current Ebola situation is a wake-up call for organizations to offer refresher HIPAA training to staff . "Now is absolutely the right time to ensure that your workforce understands what the rules of the road are" regarding appropriate access to records, he says.