HIPAA and Public Health Disclosures – What’s Permitted?

Is this a HIPAA breach? The disclosure of negative test results for the Dallas policeman who visited the apartment of the first known fatality in the US due to ebola prompted a complaint from the policeman’s wife.  She is quoted as saying that disclosure to the media of the test results prior to informing the patient and his family must be a violation of HIPAA law.  So, is she right?

The current efforts of health care providers and public health authorities to prevent the spread of the ebola virus in the US has led to disclosure of a lot of protected health information (PHI) about persons infected or even just at risk for contracting the virus.

HIPAA and Public Health Disclosure Authorizations.

HIPAA regulations permit the disclosure of PHI to public health authorities, without authorization, for the purposes of controlling disease, among other reasons.  Public health authorities are defined as state, local or federal authorities, including Indian tribes, that are responsible for public health matters.  This specifically includes the Centers for Disease Control (CDC), the agency coordinating the federal government’s response to the ebola virus in the US.   And the CDC may be a covered entity in its own right, which also gives it the right to disclose PHI for public health purposes.

How much PHI may be disclosed to Public Health Authorities?

Typically, the HIPAA regulations require that covered entities disclose only the minimum necessary information, even for public health purposes.  The exceptions are if there is a patient authorization, or if the disclosure is required under other provisions of the law, for instance for law enforcement purposes or for serious threats to health or safety.  But covered entities may rely on the request by the public health authority to establish the minimum necessary amount of PHI to be disclosed.

Take action now to prepare for HIPAA and Public Health Disclosures!

Many, if not most, covered entities have never had to deal with disclosures for public health purposes in the current environment – intense interest and with voices inviting us to disregard everything the government tells us.  So just as you may be putting up notices in the emergency department or waiting room advising patients to inform the staff about certain symptoms or previous travel, now is the time to dust off your policies related to HIPAA and disclosures for all purposes.

Make sure staff who may be asked questions about patient status – whether the patient is already in the ICU receiving treatment, or is in the waiting room complaining or exhibiting symptoms – know what to say when they get questions.  Staff who have formal responsibility for making public statements should review the organization’s policies on disclosures for public health purposes.  Finally, remember that even a circumstance such as the outbreak of a deadly infectious disease does not permit unauthorized disclosures of PHI to the media or anyone else.

HIPAA and public health disclosures may become a way of life for the foreseeable future.  Be ready, and your facility’s reputation will be enhanced – not trashed!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

4 thoughts on “HIPAA and Public Health Disclosures – What’s Permitted?

  1. HIPAA does allow for disclosures in certain circumstances, which is contained within the HIPAA Privacy Rule, but what’s important to really understand is that if you want to see a decrease in data breaches of Protected Health Information (PHI), then both Covered Entities and Business Associates should do three (3) primary things. 1. Put in place all necessary HIPAA policies and procedures. (2). Strictly enforce annual security awareness training for all employees and workforce members and (3). Build a network that has comprehensive elements of layered security and defense-in-depth within it. Call the 3 point triangle for HIPAA success, which is relatively straightforward, yet many CE’s and BA’s simply fail to grasp the importance of such initiatives. Remember that HHS | OCR has announced even more annual HIPAA compliance audits, so be ready.

  2. As an information security specialist in the HIPAA field for many years, I unfortunately see the same recurring theme with businesses time and time again, and that’s the failure to implement comprehensive security policies, procedures, processes, and other fundamental initiatives. With so many free and cost-effective solutions available online, there’s really no excuses as to why businesses don’t take the necessary steps for ensuring the safety and security of one’s entire network infrastructure. What’s also frustrating is not seeing comprehensive security awareness training and other basic, fundamental programs, like annual risk assessments, that should be in place for further helping protect organizational assets. There are literally hundreds of sites offering free employee training material. It’s time companies got serious about security and not just profits because data breaches are continuing to grow at such an alarming rate. Think about it, what business do you even have if a significant data breach occurs? Kiss your profits goodbye and say hello to the onslaught of lawsuits sure to arrive.

    1. Unless your timesheet has some type of personal health information on it, it is not covered by HIPAA. If your timesheet has other information such as your social security information, you may not want to send it via unecrypted email.