Many people in the general public – and most in the health care industry – would recognize the names Eric Duncan (who died of Ebola in a U.S. hospital), Nina Pham (who contracted Ebola through exposure in a U.S. hospital) and Kaci Hickox (who was subjected to quarantine due to potential exposure to Ebola before returning to the United States). But how is it that patient names and specific details regarding the medical treatment of these individuals are so widely known? Wasn’t HIPAA intended to prevent exactly this result?
Despite the impression left by Ebola-related news coverage, there is no exception to HIPAA rules based on heightened public interest in either a particular patient or a particular disease. In fact, the Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS) responsible for administering the HIPAA rules, recently released an advisory bulletin “to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”
However, while HIPAA protects patient health information and limits its use, it does not lock down the information entirely nor does it prevent the news media and other interested parties from obtaining the information through other sources.
As the number of diagnosed cases of Ebola continues to increase (13,000 cases worldwide as of November 5, 2014, including four cases in the United States), U.S. hospitals should have a plan in place for how they will respond to demands for information if and when an Ebola-infected patient arrives at their facility. This is especially true for facilities located near the airports designated as entry points for travelers from West Africa: Kennedy, Newark, Dulles, O’Hare, and Atlanta’s Hartsfield Jackson.
The HHS bulletin summarizes the basic HIPAA protections and disclosures applicable to a scenario involving an Ebola-infected patient:
- HIPAA permits a hospital to disclose information about an individual’s health for treatment purposes, so providing information to doctors, nurses, and other clinical and floor staff who may come into contact with the patient is not an issue.
- HIPAA also permits hospitals to disclose information about an individual’s location in the building and current general status (such as “critical,” “guarded,” “stable”) to anyone who inquires about the individual by name – unless the patient has affirmatively opted out of this disclosure. This is the well-known “directory” rule.
- HIPAA permits disclosures to public health authorities who are “authorized by law” to receive information for the purpose of controlling disease as well as to individuals who may have been exposed to the disease or are otherwise at risk of contracting it.
Whether a public health authority is “authorized by law” to receive infectious disease information will largely depend on state law. In New York, hospitalsmust report confirmed and suspected communicable diseases to the local health department. Viral hemorrhagic fevers, of which Ebola is one, are in the “most urgent” category for reporting, requiring verbal notice to the department within 24 hours of first treatment. Further, New York requires treating physicians to notify others in the household of the infected individual and advise them of the appropriate precautions to take to prevent further spread of the disease.
Outside of these uses and disclosures, hospitals must obtain a valid patient authorization to disclose information about the patient.
The Myth of the Sensational News Exception
As the HHS bulletin emphasizes, except in limited circumstances, “affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization.” In other words, a valuable scoop for the evening broadcast does not supersede the basic restrictions that protect patients from the unauthorized use and disclosure of their protected health information (PHI).
In our connected world, however, the practical reality is that reporters and members of the public will obtain information about the patient, their background, condition, treatment and prognosis through family and friends or from social media. In New York, for example, while certain communicable disease reports related to venereal disease are considered confidential, there is no express confidentiality rule for reported communicable disease information other than some “minimum necessary” limitations in the New York Public Officers Law. It is also unclear whether HIPAA would prevent or even apply to disclosures made by public health officers; and as noted above, providers have certain obligations to notify individuals other than the patient about the patient’s disease. These are very likely avenues for information about the patient to legally find its way into the public realm. Accordingly, unless the treating providers are authorized to take part in the conversation regarding a communicable disease patient, the conversation is going to happen around them and without them.
In this context, one possible route available to health care providers is to obtain a limited authorization to confirm or deny facts presented to them in valid media queries that do not fully compromise the patient’s right to the privacy of PHI. Rather than an ambiguous response such as “I cannot comment on that,” under a limited authorization providers will have the ability to validate factual information already in the public sphere and to quell rumors without making the hospital the source of the information provided to the public. In this way, the provider can take part in the conversation but will not be the center of it.
Avoiding a Free-for-All
Even with a valid authorization in place, the patient record is not an open book. As the HHS bulletin points out, “in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.”
While there is no “minimum necessary” standard for disclosures for treatment purposes, the standard does apply in all other circumstances; and in all cases the use or disclosure must be related to a valid purpose under the HIPAA Privacy Rule.
Administrators should remind staff early and often that a high-profile patient has the same right to privacy as any other patient in the facility and that they need to check access logs frequently for “peepers” and enforce access restrictions policy just as they would in any other circumstance.
Unauthorized uses and disclosures may trigger reporting requirements at the state and federal levels depending on the nature and scope of the information involved. Working closely with knowledgeable legal counsel can help a hospital emerge from the media storm with its HIPAA integrity intact.