On November 10, 2014, the U.S. Department of Health and Human Services (HHS) issued a bulletin as a reminder of the ways in which covered entities and business associates may disclose patient information in emergency and public health situations. The bulletin does not create new exceptions or suspend HIPAA, but lists all of the ways that HIPAA already allows disclosure of patient information in situations like the Ebola outbreak. The bulletin lists the following HIPAA exceptions:
- Treatment – covered entities may always disclose protected health information (PHI) without the patient’s authorization as necessary to treat the patient or to treat a different patient. The term “treatment” is specifically defined under HIPAA and includes the coordination or management of health care and the referral of patients for treatment.
- Public Health Activities – covered entities may disclose PHI without the patient’s authorization to public health authorities that are authorized by law to collect or receive such information for the purpose of preventing or controlling disease. For example, a covered entity may disclose PHI to the Centers for Disease Control and Prevention (CDC). The bulletin states that covered entities may disclose PHI to the CDC on an ongoing basis as needed to report all previous and potential cases of individuals exposed to or suspected to have the Ebola virus. The bulletin notes that covered entities may rely on representations from public health authorities like the CDC that the requested information is the minimum necessary for the purpose. Covered entities may also disclose PHI to persons at risk of contracting or spreading a disease if there is another law (for example a state law) that allows such disclosure. Business associates may make disclosures to public health authorities like the CDC on behalf of a covered entity or another business associate, to the extent authorized by the business associate agreement.
The bulletin notes that if covered entities receive a request for information about a particular patient by name, covered entities can disclose limited facility directory information to acknowledge that a patient is at the facility and provide basic information about the patient’s condition in general terms (for example, critical, stable, treated, discharged) if the patient has not objected to or restricted the release of such information. If the patient is incapacitated the covered entity may make such disclosure if the disclosure is in the best interest of the patient and is consistent with any prior expressed preferences. However, HHS notes that affirmative reporting to the media or public at large about an identifiable patient, including information about treatment, test results, or any details of the patient’s illness may not be done without a patient authorization.