Dr. Craig Spencer, Thomas Eric Duncan, Nina Pham, Amber Vinson, Dr. Kent Brantly, Nancy Writebol, Dr. Rick Sacra, and Ashoka Mukpo. The names of patients diagnosed with the Ebola virus have been widely publicized, despite federal protections that guarantee the privacy of an individual’s diagnosis and other individually identifiable health information. 

If a health care provider diagnoses an individual with Ebola, that diagnosis is protected health information (PHI) covered by the privacy rule that implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The patient’s symptoms, temperature (or lack thereof), and potential receipt of an experimental drug or a blood transfusion are also PHI when that information is created, received, transmitted, or maintained by a health care provider, health plan, health care clearinghouse, or a business associate. None of the intimate details of the Ebola patients’ conditions should have been publicly released to the news media without the consent of the patient or the patient’s personal representative.

The United States Department of Health and Human Services (HHS) recognized the need for guidance on the privacy rule as it relates to patients diagnosed with Ebola and contacts who were at risk of contracting the disease. On November 10, 2014, HHS released a bulletin reviewing the existing federal health privacy regulations. The bulletin discusses the application of the privacy rule in emergency situations. The document also notes that entities not subject to HIPAA, such as an airline or taxicab that transported a patient diagnosed with Ebola, may disclose information within the bounds of any applicable state or federal laws.

The bulletin reminds hospitals and health care facilities that the privacy rule allows for the release of general information about a patient upon request, if the patient has not opted out of the hospital directory. For example, Bellevue Hospital Center in New York City could disclose that Dr. Craig Spencer had been treated and released if he had not restricted or prohibited the release of such information.

HHS also provides an overview of the use and disclosure of PHI by the Centers for Disease Control and Prevention (CDC) and state and local public health departments, who may trace prospective patients exposed to the Ebola virus. The bulletin notes that even if the HHS Secretary declared a public health emergency related to Ebola, the privacy rule still applies. In a declared public health emergency, the HHS Secretary can make only temporary, limited waivers of certain privacy rule protections, which last for a maximum of 72 hours.

Health care providers, health plans, health care clearinghouses, and their business associates should consider updating their policies and trainings on the use and disclosure of PHI in emergency situations.