Of all the complex legal issues raised by the recent cases of Ebola in the U.S., those concerning the delicate balance between preserving patients’ privacy rights and the need to disseminate information to protect public health may be overlooked by providers. First, the laws may seem complex, consisting of a patchwork of state-level privacy and public health provisions, some of which are at times preempted by overarching federal laws like the Health Insurance Portability and Accountability Act (HIPAA), while others are not. This complex legal landscape also has been the subject of debate in recent years, as historic data breaches and domestic spying scandals change the American concept of privacy. But while the privacy debate may be plagued by questions as to the value of a person’s privacy, the Ebola virus highlights a stark reality: the level of privacy afforded to information regarding a person diagnosed with the Ebola virus could have life and death implications for the patient, the treating healthcare providers and the public at large. By understanding these privacy concerns, healthcare providers are better able to find the appropriate balance between patient privacy and public health when caring for a patient with Ebola. Here are a few of the privacy issues associated with the Ebola virus of which all healthcare providers should be aware.
Patients, Family Members and Friends
Although healthcare providers are certainly permitted to communicate with their patients, communications with a patient’s family members and friends may be more complicated, particularly when, as may be the case as Ebola progresses, the patient becomes incapacitated. In such cases, absent specific instructions or authorization from the patient, HIPAA requires that healthcare providers exercise professional judgment in determining whether communicating with an individual involved in the patient’s care is in the best interests of the patient and that they limit the information disclosed to that which is directly relevant to the individual’s involvement in the patient’s care. Personal exposure to the Ebola virus complicates this analysis since family members are not able to be at the bedside with the patient. State laws may be more stringent and preempt HIPAA or set out who can receive information about the patient and make medical decisions if the patient is not able.
Employee snooping has become a privacy risk in the era of electronic health records, particularly when dealing with high profile patients. Given the media attention surrounding Ebola patients in the U.S. thus far, audit trails monitoring employee access to Ebola patient information will be a critical component to any healthcare organization’s privacy efforts. If a suspected Ebola patient enters a healthcare facility and is being followed by the media, the healthcare entity should take that opportunity to remind its employees of their HIPAA obligations and regularly monitor the patient’s medical record for inappropriate access. In addition, the entity should ensure that it provides information to its employees so that they are appropriately protected from exposure to Ebola so they are less likely to snoop in the patient’s record.
Releasing information regarding Ebola patients to the media may present a slippery slope for healthcare organizations. Media outlets are not covered entities under HIPAA and therefore are not bound by HIPAA restrictions once they receive patient information, regardless of the source. HIPAA restricts the information that a healthcare organization can disclose to the media absent a patient authorization, including the information that can be released by an organization to defend itself from criticism in the media. Although these risks are significant, the media’s role in preserving public health by disseminating timely and accurate information regarding infected patients, as well as the steps necessary for members of the public to protect themselves, is important. Organizations that find themselves with an Ebola patient should seek authorization from the patient or the patient’s representative for media communication.
Public Health and Health Oversight Authorities
HIPAA includes specific exceptions that generally allow healthcare organizations to disclose information regarding Ebola patients to state and federal public health authorities, such as the Centers for Disease Control and Prevention (CDC) and state and local departments of public health. But the boundaries of these exceptions are not always clear. For example, HIPAA allows covered entities to disclose patient information to a public health authority, which is defined as an agency or authority of the U.S. or a state that is responsible for public health matters as part of its official mandate, so long as the authority is authorized by law to collect such information for the purpose of controlling disease. While there is little doubt that this exception would allow a healthcare provider to communicate with the CDC regarding an Ebola patient, what about Congress or state legislators or other elected officials?
As highlighted above, many provisions of HIPAA and applicable state law seem to inherently reflect the underlying tension between preserving patient privacy and ensuring the free flow of information necessary to protect public health. Finding the appropriate balance is no small feat, but it is a critical mission that all healthcare organizations must strive to achieve.