HHS: HIPAA Privacy Rule Allows Disclosure Of Some Patient Information in Emergencies

BNA’s Health Care Daily Report™ sets the standard for reliable, high-intensity coverage of breaking health care news, covering all major legal, policy, industry, and consumer developments in a...

By James Swann

Nov. 10 — The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allows for the disclosure of protected health information (PHI) without patient permission in public health emergency situations, such as the ongoing Ebola outbreak, according to a bulletin from the Department of Health and Human Services Office for Civil Rights, released Nov. 10.

The bulletin said the Privacy Rule “protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.”

Covered entities may share protected health information with public health authorities “for the purpose of preventing or controlling disease, injury or disability,” the HHS says.

For example, covered entities may share PHI with public health authorities “for the purpose of preventing or controlling disease, injury or disability,” the HHS bulletin said.

PHI also can be shared with foreign governments, as well as with individuals who might be at risk of infection or disease, all without patient permission.

Allowable Disclosures

The HHS bulletin outlines several other instances where PHI disclosures are allowed without patient permission, including when patients are undergoing treatment and the information is needed to improve coordination of care and when patients represent an imminent danger to public health.

Disclosures also are allowed to a patient's family or friends who are involved in the provision of care. In lieu of disclosing PHI directly to family and friends, the information can be shared with disaster relief organizations, such as the Red Cross, which may use the PHI to coordinate care with a patient's family or friends or inform them of a patient's death, the HHS said.

In public health emergencies, PHI can be disclosed to media organizations, albeit in a limited fashion, such as “facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.”

‘Minimum Necessary' Limits

Although acknowledging that PHI can be shared without patient permission, the HHS bulletin said covered entities disclosing PHI, even in emergency situations, must do all they can to make sure they are sharing only the “minimum necessary” information.

Covered entities can rely on reassurances from public health authorities that the information being requested is the minimum necessary for the particular public health emergency, the HHS said.

“For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose,” the bulletin said.

To contact the reporter on this story: James Swann in Washington at jswann1@bna.com

To contact the editor responsible for this story: Kendra Casey Plank at kcasey@bna.com