The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has issued guidance to remind HIPAA-covered entities of the ways in which they are permitted under HIPAA to share protected health information (“PHI”) in emergencies, including information about diagnoses of Ebola. HHS emphasizes that the “minimum necessary rule” still applies to these disclosures (except in the case of a disclosure for treatment purposes), and covered entities are still responsible for using safeguards that comply with the HIPAA Security Standards. Below is a list of the types of disclosures discussed in the guidance:
- Disclosures for Treatment: Under the HIPAA Privacy Rule, covered health care providers may share PHI with other health care providers for treatment purposes, including to coordinate and manage health care and related services by one or more patients. No authorization from the patient is necessary.
- Disclosures to Public Health Authorities: Covered entities may disclose PHI without patient authorization to public health authorities, like the Centers of Disease Control and Prevention (“CDC”) or state or local health departments for the purpose of preventing or controlling disease, injury, or disability. So, for example, a covered entity could disclose PHI to the CDC on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola. Similarly, covered entities may disclose PHI at the direction of a public health authority to a foreign government agency that is acting in collaboration with the public health authority.
- To a Person At Risk if Permitted under State Law: A covered entity may disclose PHI to a person at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
- To Family and Friends Involved in Patient’s Care: If a patient’s family or friends are involved in a patient’s care, and the covered entity has obtained the individual’s agreement or can reasonably infer from the circumstances that the individual does not object, then the covered entity may disclose to a family member or friend PHI that is directly relevant to that person’s involvement in the patient’s care.
- Disaster Relief Organizations: A covered entity may share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notice to family members of a person’s location or condition.
- Imminent Danger: Covered health care providers may disclose PHI to anyone as necessary to prevent or lessen serious and imminent threat to the health and safety of a person or the public consistent with applicable law and the provider’s standards of ethical conduct.
- Disclosures to the Media: Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information consistent with 45 CFR 164.510(a). In general, however, affirmative reporting to the media or the public about an identifiable patient, such as the details of test results or the patient’s condition, is not permitted without the patient’s authorization.
Health care providers should have policies and procedures in place that govern these types of disclosures under HIPAA so that such providers can act in an emergency in a manner that is necessary to protect public health but that is respectful of patient privacy.