HIPAA Privacy and Public Health Emergency Situations

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.

Balancing the Tension Between Treating an Ebola Patient and Protecting Staff and Other Patients

Well, the Ebola scare is all everyone is talking about.  A colleague brought up an interesting question earlier in the week: What sort of potential liability do health care facilities face from it?

There are lawsuits anticipated from the family of the first victim as well as at least one of the infected health care workers who treated him.  With respect to the first of those, from what I read, the potential lawsuit seems doomed.  With respect to the health care workers, if the treatment protocols were as inconsistent and ineffective as claimed, then they likely will have a better chance of success under OSHA or workers’ comp laws.

HC BLOG_ebolaI’m more interested in what might happen if other patients become sick.  Hospital-acquired infection cases are not novel; they’ve been tried for decades.  The general consensus of plaintiffs’ lawyers is that they are difficult but not impossible to win.  That difficulty only increases with the publication of comprehensive Ebola treatment guidelines by the Centers for Disease Control and Prevention (assuming hospitals follow them, of course).

But “difficult” is not “impossible.”  And, even setting aside liability concerns, hospitals and other health care facilities understandably may be reluctant to expose their health care workers to Ebola patients.  One way to address this concern is to systematically transfer patients to specialized care facilities designed to contain Ebola and similar viruses – and indeed, it appears that the federal government already is going down that road.  But if the crisis grows, there is no guarantee that beds will be available in those bio-containment units, and in any event, a transfer takes time, and it is likely that an Ebola patient will require on-site treatment for hours or days before the patient can be transferred.

That’s the important point to note.  Treatment will be required.  Hospitals cannot just isolate patients and wait – without treating them – until they can be transferred, or they die (if no transfer is available).  If nothing else, as the victim’s family’s potential lawsuit shows, hospitals are at risk of being sued for malpractice if they fail to provide adequate care.  So a facility is going to have to balance the competing obligations of minimizing contact between the Ebola patient and health care workers and providing a sufficient level of care.

What is the proper balance on that score?  I’m afraid I don’t have a good answer, probably because there isn’t one.  A lot of it will have to do with how many new patients present with Ebola, and what their acuity levels are.  But health care facilities need to recognize that it’s a “damned if you do, and damned if you don’t” situation.  If nothing else, it’s probably advisable for hospitals to start thinking now about how they will respond to that unenviable dilemma.

Image courtesy of Flickr by CDC Global