We’ve received a number of questions from our hospital clients about the operational impact of the arrival of Ebola in the United States. In general, hospitals must continue to follow the same rules and regulations. However, there is one area that is certainly worth discussing and that is patient privacy.
The Health Insurance Portability and Accountability Act (HIPAA) protects certain patient health information, but in the light of a fast-moving health event, it can be difficult to know when to provide information and when to shield it. Even with HIPAA in place and healthcare workers highly trained on how to comply, breaches continue to occur. With heightened attention around Ebola in the United States, people are hungry for information on the patients and healthcare workers exposed to the disease. For instance, in Nebraska, two hospital employees were fired in September for looking at an Ebola patient's medical records. The question is, do HIPAA privacy rights trump the public's need to know about a patient with the disease? There are a few key points to consider.
- Ebola is a devastating communicable disease about which the general public needs education and guidance, but the HIPAA rule does not permit inappropriate use or disclosure just because the condition might be considered newsworthy or unusually terrifying. Your current HIPAA policies and procedures are still effective even if your hospital receives a patient potentially at risk in this outbreak.
- Communicate with your employees and remind them of the regulations. The great public interest puts patient information at greater risk. Reinforce with your workforce that they’re only able to access records that help them do their jobs. Do this before you have a specific situation of concern, and consider what additional steps you might take to safeguard particularly “juicy” information that might be at greater risk.
- HIPAA recognizes the public's right to know in the context of public health. The Privacy Rule includes exceptions for certain activities required for public health. The first such exception allows authorities or covered entities (when authorized by law to make such notification) to warn anyone who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition. The second such exception provides that a covered entity may disclose protected health information (PHI) to a public health authority (such as the Centers for Disease Control (CDC)) that is authorized by law to collect or receive such information. If an authorized public authority requests the information, you have an obligation to provide it. You are entitled to rely on the public authority’s determination regarding what information it needs.
- Don’t succumb to media and public pressure. If you get media inquiries and pressure to release information, remember the same rules apply to Ebola patients as to other patients. There are exceptions relating to public health and safety (as outlined above), but they generally do not permit covered entities or their business associates to release PHI to the media or general public. Rely on your current HIPAA-compliant policies regarding response to such inquiries.
- Also, keep in mind that HIPAA applies only to covered entities and business associates, and does not restrict what information patients, their family members, friends or neighbors, may legally disclose. These individuals may need to be aware that state privacy or defamation statutes and case law may limit what they may legally disclose. Covered entities should keep in mind that when information is disclosed to the media by other parties, sometimes attention will be drawn to the covered entity and disclosure by the entity will be alleged. Be vigilant in maintaining the security of information in order to be able to diffuse such accusations.