In light of an emergency situation like the Ebola outbreak, the U.S. Department of Health and Human Services (HHS) has provided a bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule. While sections of it are vague and open to interpretation, it generally serves as a reminder that the protections of the HIPAA Privacy Rule are not set aside during an emergency.
One of the goals of the HIPAA Privacy Rule is that it protects the privacy of patients' health information (PHI), yet is balanced to ensure appropriate uses and disclosures of the information when necessary. These instances can occur when treating a patient, protecting the nation's public health, or other critical purposes.
Under the Privacy Rule, covered entities may reveal PHI if it is deemed necessary to treat the patient or a different patient, even without a patient's authorization. The HIPAA Privacy Rule also allows covered entities to release PHI without a patient's authorization to a public health authority like the Centers for Disease Control and Prevention (CDC) or a state or local health department. For example, a covered entity can release to the CDC PHI of patients who have been exposed, suspected, or confirmed to be carrying the Ebola virus.
A covered entity is allowed to share PHI with a patient's family, relatives, friends or caregivers. Where it gets interesting however, is that the Privacy Act also allows a covered entity to notify the police, the press, or the general public in its attempt to track down family, friends or caregivers of a patient in an emergency. Under these circumstances, the covered entity should first get verbal permission from a patient to do so. But if it cannot, the covered entity may still release the information and remain in HIPAA compliance if in their professional judgement, doing so is in the patient's best interest.
In addition, a covered entity can also share PHI with disaster relief organizations like the American Red Cross. Furthermore, patient authorization to share protected health information is not required if doing so would interfere with the Red Cross' ability to respond to the emergency.
As covered in a previous post, a business associate is an entity that performs certain activities that involve the use or disclosure of PHI on behalf of a covered entity. In an emergency situation like the Ebola outbreak, a business associate is allowed to release information to a public health authority on behalf of a covered entity to the extend it's authorized by its business associate agreement.
In an emergency situation, covered entities and their business associates must continue to use reasonable safeguards to protect PHI. In addition, they must continue to apply administrative, physical and technical safeguards of the HIPAA Security Rule to electronic PHI. When an emergency situation occurs the rules become confusing as exceptions begin to arise. Thankfully, the HHS has provided some guidance and we hope this article helped you make sense of it.
