Privacy doesn’t trump public safety — especially when it comes to the Ebola virus and other public health threats.
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) — which enforces HIPAA — has issued a bulletin clarifying the circumstances under which patients’ protected health information can be disclosed, even without their explicit authorization, in the interest of their own and others’ safety.
“The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission,” the bulletin states. “Therefore, permits covered entities to disclose needed protected health information without individual authorization.”
Under the rule, providers covered by HIPAA, including doctors and healthcare systems, can disclose needed personal health information:
– To public health authorities such as the nd state and local health departments
– At the direction of a public health authority or to a foreign government agency that is working with the public health authority
– To persons at risk of contracting or spreading a disease or condition
Disclosures to family, friends and others involved in a patient’s care are also allowed under some conditions. These may even be permitted to the police, media and public at large.
However, providers should get verbal permission from afflicted individuals or be able to “reasonably infer that the patient does not object.” If the patient is incapacitated, providers can share health information if they believe it is in the patient’s best interest.
Providers can also share personal information with disaster relief groups such as the American Red Cross. It is not required to obtain a patient’s permission to share information if doing so would interfere with the organization’s ability to respond to the emergency.
Healthcare providers can also share protected health information with anyone to prevent or lessen a threat to the health and safety of a person or the public.
While the Privacy Rule allows these disclosures in circumstances involving threats to public health and safety, limitations apply.
For most disclosures, providers must make try to limit the information they disclose to the “minimum necessary” to accomplish the purpose, according to the OCR bulletin.
Also, in emergency situations, providers must continue to maintain safeguards to protect patient information against intentional or unintentional uses and disclosures that are not permissible.
The HIPAA Privacy Rule is not suspended completely during public health or other emergencies. But HHS may waive certain provisions of the rule under the Project BioShield Act of 2004 and the Social Security Act.