Is this a HIPAA breach? The disclosure of negative test results for the Dallas policeman who visited the apartment of the first known fatality in the US due to ebola prompted a complaint from the policeman’s wife. She is quoted as saying that disclosure to the media of the test results prior to informing the patient and his family must be a violation of HIPAA law. So, is she right?
The current efforts of health care providers and public health authorities to prevent the spread of the ebola virus in the US has led to disclosure of a lot of protected health information (PHI) about persons infected or even just at risk for contracting the virus.
HIPAA and Public Health Disclosure Authorizations.
HIPAA regulations permit the disclosure of PHI to public health authorities, without authorization, for the purposes of controlling disease, among other reasons. Public health authorities are defined as state, local or federal authorities, including Indian tribes, that are responsible for public health matters. This specifically includes the Centers for Disease Control (CDC), the agency coordinating the federal government’s response to the ebola virus in the US. And the CDC may be a covered entity in its own right, which also gives it the right to disclose PHI for public health purposes.
How much PHI may be disclosed to Public Health Authorities?
Typically, the HIPAA regulations require that covered entities disclose only the minimum necessary information, even for public health purposes. The exceptions are if there is a patient authorization, or if the disclosure is required under other provisions of the law, for instance for law enforcement purposes or for serious threats to health or safety. But covered entities may rely on the request by the public health authority to establish the minimum necessary amount of PHI to be disclosed.
Take action now to prepare for HIPAA and Public Health Disclosures!
Many, if not most, covered entities have never had to deal with disclosures for public health purposes in the current environment – intense interest and with voices inviting us to disregard everything the government tells us. So just as you may be putting up notices in the emergency department or waiting room advising patients to inform the staff about certain symptoms or previous travel, now is the time to dust off your policies related to HIPAA and disclosures for all purposes.
Make sure staff who may be asked questions about patient status – whether the patient is already in the ICU receiving treatment, or is in the waiting room complaining or exhibiting symptoms – know what to say when they get questions. Staff who have formal responsibility for making public statements should review the organization’s policies on disclosures for public health purposes. Finally, remember that even a circumstance such as the outbreak of a deadly infectious disease does not permit unauthorized disclosures of PHI to the media or anyone else.
HIPAA and public health disclosures may become a way of life for the foreseeable future. Be ready, and your facility’s reputation will be enhanced – not trashed!