HIPAA permissible disclosures in the case of a Public Emergency

With the recent Ebola outbreak in Africa and cases reaching the United States, individuals everywhere are concerned about catching the deadly disease. Doctors and nurses who were helping treat Ebola patients in Africa, returned to the United States for treatment after catching the deadly disease. Within days, people all over the world knew the individual’s name, where they lived, and now their medical condition. Should the patients who were diagnosed with Ebola be disclosed to the public or does that violate their rights under the HIPAA Privacy Rule?

HIPAA stands for the Health Insurance Portability and Accountability Act[1] and the Privacy Rule, prevents disclosure of an individuals protected health information and establishes standards to ensure that no disclosures are made without the authorization of the individual.[2] The HIPAA Privacy Rule has gone through several changes and modifications to accommodate for several technological changes in the health care industry such as the shift from paper to electronic health records.[3] However, even with these privacy changes, patients are still given the right to prevent disclosure of their protected health information.

However like all rules there are exceptions. Disclosure of Protected health information (PHI) is allowed in emergency situations like the recent Ebola outbreak. [4] According to the U.S. Department of Health and Human Services (“HHS”), “covered entities may share PHI with public health authorities ‘for the purpose of preventing or controlling disease, injury or disability.’”[5] In addition, health care workers may also disclose patient information in such situations. “Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.”[6] In such emergency situations, the most important factor is no longer the individual’s privacy, but to protect the public from the spread of the deadly disease. If this information were not disclosed to physicians, hospital personnel, or the public, it would result in a serious epidemic.

Although hospital personal have the right to disclose this information to the public, such disclosure is limited only to what is necessary to protect and prevent the spread of the disease.[7] According to the U.S. Department of Health and Human Services (“HHS”) bulletin, “For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose.” [8] Thus, the patient is still somewhat protected from the amount of personal health information that will be disclosed to the public.

This requirement ensures that HHS is still taking into consideration the objective behind the enactment of the HIPAA Privacy Rule and protecting as much of the individuals information, while still informing the public. The permissible disclosure for a patient with Ebola is based off of procedures from the Centers for Disease Control (“CDC”). For example, “a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.” [9] Therefore, even though the HIPAA Privacy Rule does not offer total protection in an emergency situation, given the seriousness of the situation, requiring only the “minimum necessary”[10] still protects an individual’s personal information. Thus, HHS’s “minimum necessary” disclosure provides a “balance” between the amount of disclosure required to protect the public as well as protecting the individual from all their personal health information being disclosed to the public.[11]