Health Law Gurus

HIPAA in the Time of Ebola

Ebola has recently been the source of much concern, and health care providers and hospitals are taking steps to prepare themselves for the possibility of treating patients with Ebola. In addition to all of the medical preparations underway, covered entities and business associates must also continue to be aware of the protections in place that limit the uses and disclosures of a patient’s protected health information (“PHI”), even in an emergency situation. The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), recently released a bulletin to provide guidance to covered entities and business associates about the ways in which PHI may be shared in an emergency under the HIPAA Privacy Rule. As the OCR emphasizes in its bulletin, the “protections of the Privacy Rule are not set aside during an emergency.”

Some highlights from the bulletin are as follows:

• Treatment – Covered entities may disclose PHI without patient authorization for “treatment” as defined by HIPAA.
• Public Health Activities – Covered entities may disclose PHI without patient authorization to a public health authority that is “authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.” A public health authority would include the Centers for Disease Control and Prevention (“CDC”) or a state or local health department.
• Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification – A covered entity may “release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released).” Unless a covered entity has received a patient’s written authorization, it may not disclose specific information (e.g. tests, test results, illness details) to the public or media.
• Minimum Necessary – Covered entities must follow a minimum necessary standard when disclosing PHI. That is, “a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose.” If a covered entity is contacted by the CDC with a request for PHI, the OCR states that it is acceptable for the covered entity to assume that the information requested is the minimum necessary for the CDC’s purpose.
• Business Associates – Before making any disclosures of PHI, business associates should review their business associate agreements. Business associates may only make disclosures of PHI as permitted by their business associate agreements.

This post is only intended to be a short summary of the OCR’s bulletin. A copy of the bulletin is available here. For advice specific to individual circumstances regarding the HIPAA Privacy Rule, you should consult with an experienced health law attorney.