Ebola and HIPAA--OCR Issues Bulletin on HIPAA Privacy in Emergency Situations
Posted in HIPAA

by Forrest Campbell, Health Law Attorney, fcampbell@brookspierce.com

In light of the Ebola outbreak, HHS's Office for Civil Rights ("OCR") issued a bulletin to accomplish two things: (i) ensure that HIPAA covered entities and business associates understand how PHI may be shared in emergency situations, and (ii) remind parties that HIPAA's privacy requirements are not set aside during an emergency. The bulletin can be accessed through this link: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.

Health care providers nationwide are screening for individuals who potentially have Ebola virus disease. If such an individual is discovered, the provider suddenly will face a multitude of issues to address. If you have not already, now is the time to be proactive and review OCR's bulletin as a refresher on the basic rules for disclosures during an emergency.

The bulletin notes that, while HIPAA protects patient privacy, HIPAA is balanced to ensure that appropriate uses and disclosures of PHI still may be made when necessary to treat a patient, to protect public health, and for other critical purposes.

To this end, the bulletin reminds parties that PHI may be shared, as follows:

For Treatment. A covered entity may disclose PHI for its own treatment activities or the treatment activities of any health care provider. This includes disclosures for the coordination or management of health care and related services by one or more health care providers and others, consultations between providers, and referrals of patients for treatment.

For Public Health Activities. In recognition of public health authorities' need to access PHI for performing their public health mission, HIPAA permits covered entities to disclose needed PHI without individual authorization in various situations:

To a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive information to prevent or control disease, injury, or disability. This includes reporting diseases, injuries, and vital events (e.g., births or deaths); and conducting public health surveillance, investigations, and interventions. For example, a covered entity may disclose PHI to the CDC on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.

At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.

To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Note: In each of these situations, other law, such as state law, must also authorize the agency to collect or review the information or authorize notice to an individual, as applicable.

With Family, Friends, and Others Involved in an Individual's Care. A covered entity may share PHI with a patient's family, friends, or other persons identified by the patient as involved in the patient's care (but only PHI directly relevant to the person's involvement with the individual's health care or payment). A covered entity also may share PHI as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient's care, of the patient's location, general condition, or death.

• The covered entity should get verbal permission from the individual or otherwise be able to reasonably infer that the patient does not object; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient's best interest.

• A covered entity may share PHI with disaster relief organizations (e.g., American Red Cross) that are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient's care, of the patient's location, general condition, or death. It is unnecessary to obtain a patient's permission to share the information in this situation if doing so would interfere with the organization's ability to respond to the emergency.

For Imminent Danger. Covered entities may share PHI with anyone if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Note: The disclosure must be consistent with other applicable law (e.g., statutes, regulations, or case law) and applicable standards of ethical conduct.

With the Media or Others Not Involved in the Care of the Patient. Upon request about a particular patient by name, a health care provider may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient's condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

OCR notes that in general, except in the limited circumstances described elsewhere in the bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results, or details of a patient's illness, may not be done without the patient's (or representative's) written authorization.

Business Associates. Business associates may disclose PHI as permitted by the HIPAA privacy rule, such as disclosures to public health authorities, to the extent authorized by the business associate agreement.

Minimum Necessary . OCR reminds covered entities that for most disclosures the "minimum necessary" standard will apply. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose. For example, a covered entity may rely on representations from the CDC that the PHI requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.

Remember: Before making a disclosure addressed in the bulletin, a covered entity should review the particular HIPAA rule involved because many of the rules have specific, detailed requirements that must be met. In addition, certain of these HIPAA rules will require that applicable other law (such as state law) also be considered and followed.

Forrest W. Campbell, Jr. practices in the Greensboro office of Brooks, Pierce, McLendon, Humphrey & Leonard, LLP. His practice is dedicated to health care. You are welcome to contact him at 336.373.8850 or fcampbell@brookspierce.com.

Add a comment

Type the following characters: papa, niner, mike, six

* Indicates a required field.


* indicates required


Recent Posts


Jump to Page

This website uses cookies to enhance user experience and to analyze performance and traffic on our website. For more information on our cookie use, see our Privacy Policy.