This month, the Office for Civil Right of the US Department of Health and Human Services released a bulletin clarifying how the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 applies "in light of the Ebola outbreak and other events." The bottom line is that " the protections of the Privacy Rule are not set aside during an emergency."
There are some circumstances under which covered entities (i.e., the health care agencies to which HIPAA applies) may disclose protected patient information without the patient's permission. This includes information "necessary to treat the patient or to treat a different patient." As used in this setting, "treatment" includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.
Covered entities may also share patient information with public health authorities such as the CDC. They may also disclose to certain persons at risk of contracting the disease and family members, but only under limited circumstances as determined by other law, extenuating circumstances, or the patient's consent.
The type of disclosures least likely to pass HIPAA muster are disclosures to the news media and others not involved in the patient's care. " In general, except in the limited circumstances," says the HHS bulletin, "affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient)."
This means that covered health care entities should be especially vigilant to remind their employees, volunteers, and business associates (all of whom are covered by the Privacy Rule) about the applicable social media policies during times of intense public attention on ebola and other public health crises. Experience has shown that health care workers are just as prone as others to leak confidential information online when they think others would be interested in knowing. Even oblique references to a patient being treated for ebola or another notorious disease could be enough to land the person's employee in trouble under the Privacy Rule.