When Ebola became big news at Texas Health Presbyterian Hospital, the names of infected patients also become news. Many have scratched their heads wondering how these disclosures failed to trigger HIPAA concerns.
Perhaps the disclosures were breaches of HIPAA obligation. And this breach might be addressed later when the crisis abates. This would only add to the growing pyramid of woes that have hit the risk management and communication departments for Texas Health Presbyterian Hospital.
In a crisis, does HIPAA even apply?
I listened to a CDC-sponsored conference call with doctors from Emory and Nebraska Medical Center discussing how they treated their roster of infected patients. A recording of that conversation is worth accessing online – as the discussion dispels many myths about the history and treatment of the condition. Nonetheless, the patients were identified generically and not by name. Of course the universe of patients treated at these institutions is limited and it’s fairly easy to connect the dots, even if these patients were not mentioned by name.
Next, Texas Health Presbyterian Hospital may have had the patients’ consent to speak publicly. Consent allows “covered entities” to disclose protected health information. The genie was already out of the bottle. Once a team with haz-mat suits showed up at a patient’s house, it was not difficult to identify who these patients were. But, even if the news media “outed” the patients, a covered entity must still keep this information confidential.
There is an exception in HIPAA for matters of public health.
The Privacy Rule permits covered entities to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability.
Further, HIPAA makes an exception to notify any person at risk for contracting or spreading a particular communicable disease.
A covered entity may disclose protected health information to a person who is at risk of contracting or spreading a disease or condition if other law authorizes the covered entity to notify such individuals as necessary to carry out public health interventions or investigations. For example, a covered health care provider may disclose protected health information as needed to notify a person that (s)he has been exposed to a communicable disease if the covered entity is legally authorized to do so to prevent or control the spread of the disease. See 45 CFR 164.512(b)(1)(iv).
So, with or without a patient’s consent, Texas Health Presbyterian Hospital could report to the CDC, as well as county and state health departments. Further, Texas Health Presbyterian Hospital could warn those who might have been exposed. But, it is unlikely these narrow “exceptions” to HIPAA would make it kosher to speak to the media.
The Journal of American Health Information Management Association (surely on everyone’s must-read list) reported that two Nebraska Medical Center employees were fired for illegally accessing the electronic health records of Richard Sacra, the physician volunteer who was treated in the facility’s isolation unit. This news mirrors the theme of similar breach involving curious hospital workers: LA Hospital Fires Six for Privacy Breach After Kardashian Birth. HIPAA does not disappear during a public health crisis – or other events which trigger media scrutiny.
