A patient arrives at your facility with Ebola-like symptoms. After taking the necessary precautions, you run the requisite tests, conduct a patient interview, and determine that in fact the patient has contracted the Ebola virus. You also learn that the symptoms have been present for a couple of days, but like many people, the patient delayed seeking treatment until the symptoms got worse. After questioning the patient, you discover that since returning from West Africa one week earlier, the patient has returned to work, visited with family, attended church, and been shopping at the local mall, all while exhibiting symptoms. Thus, hundreds of people living in the community have potentially been exposed. What do you do? What information can you release to the public? Do you need the patient's consent to warn the public about the potential exposure?
The U.S. Department of Health and Human Services, Office for Civil Rights ("OCR"), the entity responsible for overseeing compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), recently issued guidance on how to address HIPAA privacy in emergency situations, such as the one described above. Importantly, while there are a number of ways in which protected health information can be shared in an emergency situation, you should keep in mind that the protections of HIPAA are not set aside during an emergency. Thus, while it is important to alert the public to the potential exposure, it must be done in a manner that is compliant with HIPAA. HIPAA, however, does provide several mechanisms through which information may be released:
Public Health Activities: Information protected by HIPAA may be shared without patient consent or authorization to certain public health authorities for certain public health activities. For example, you may disclose to the Centers for Disease Control and Prevention ("CDC") information required for reporting cases of patients exposed to or suspected of having the Ebola virus. In addition, if other law, such as state law, authorizes you to notify persons at risk of contracting or spreading the disease, you may do so as necessary to prevent or control the spread of the disease.
Imminent Danger: Consistent with applicable laws and standards of ethical conduct, information protected by HIPAA may also be shared without patient consent or authorization as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
Persons Involved in Patient's Care: Information protected by HIPAA may also be shared without patient consent or authorization with a patient's family members, relatives, friends, or other persons identified by the patient as being involved in the patient's care. You should obtain verbal permission from the patient before doing so, if possible, or be able to reasonably infer that the patient does not object to such disclosure. Further, the information released may only be that which is directly relevant to the person's involvement in the patient's care.
Facility Directory: Upon request for information regarding a particular patient by name, and as long as a patient has not objected, you may release limited facility directory information to acknowledge that a person is a patient and provide general information regarding the patient's condition (e.g., treated and released, decreased, stable, etc.). However, this provision does not allow you to initiate reports to the media about a patient or disclose detailed information regarding specific tests, procedures, treatment, etc.
Patient Authorization: Finally, the simplest and most straightforward way to release information to the public is to obtain written authorization from the patient allowing you to do so. The written authorization must be compliant with HIPAA and must cover the disclosure being made. If the patient will not provide written authorization for the disclosure, the disclosure must fall under one of the items listed above (or another applicable provision of HIPAA) in order to be released.
Additional information on the types of disclosures HIPAA does and does not allow in emergency situations is available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/emergencysituations.pdf.
Kelli Fleming is a partner at Burr & Forman LLP who works exclusively within the firm's Health Care Practice Group.