In light of the recent Ebola cases, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a new bulletin, to remind HIPAA-covered entities and business associates that the requirements of the HIPAA Privacy Rule apply even in emergency situations. The HIPAA Privacy in Emergency Situations bulletin provides guidance as to the limited circumstances when covered entities and business associates may share, use, and disclose protected health information during emergency situations, including disclosures to the following: 

  • A public health authority, such as the Centers for Disease Control and Prevention;
  • Foreign government agency, at the direction of a public health authority;
  • Persons at risk of contracting or spreading a disease or condition, if state law authorizes such disclosure;
  • Family, friends, and others involved in the patient’s care; and
  • As necessary to prevent and lesson a serious and imminent threat to the health and safety of a person or the public

In addition the HIPAA-covered entities may disclose limited information to the media and others not involved in the patient’s care if the patient has not objected or restricted the release of such information, or if the patient is incapacitated, if such disclosure is believed to be in the best interest of the patient and consistent with any prior expressed preferences of the patient.