By Matt Fisher, Esq
Twitter: @matt_r_fisher
The recent uproar over Ebola brought HIPAA in emergency situations to the forefront when it comes to what information may be shared and when. The various healthcare facilities that treated Ebola patients were constantly grilled for updates on patients as well as information relating to the movements and other activities of those patients. The public seemed to feel entitled to receive the updates and information because of the perceived public danger represented by a potential Ebola outbreak. Under the framework created by HIPAA, what information can be shared and when? Lessons learned from responses to questions about Ebola treatment can better prepare all healthcare facilities for the next major healthcare event.
The recent Ebola scare provided a couple of examples of activities that should have caused concerns under HIPAA. First, numerous press conferences held by hospitals where patients were being treated for Ebola disclosed information about those individuals, which was ostensibly to understand their condition and who else may have been exposed by the movements of those individuals. Second, the Ebola patients generated a significant amount of curiosity among healthcare facility staff, which in at least two instances at a Nebraska hospital led to hospital staff members accessing the medical records of the Ebola patients.
With regard to healthcare facility interviews, the HIPAA concerns should be self-evident. Generally under HIPAA, a healthcare facility cannot use or disclose individual patient information with a media outlet absent a specific authorization from the individual whose information is being used or disclosed. Protection of health information is a basic principle under HIPAA. However, in some instances, such as a danger to the public health, it may be possible to share protected health information without needing an authorization.
What should a healthcare facility do to ensure that it maintains HIPAA compliance during a public emergency? First, in the event that a press conference or other wide sharing of information to or through the media is deemed necessary or appropriate, the facility should carefully consider whether it can acquire a written authorization from the individual or individuals about whom information will be shared. A written authorization is clearly one of the easiest ways to protect a facility against an allegation of violating privacy rights established under HIPAA. If it is not possible to obtain a written authorization, a healthcare facility may still talk about issues raised by the actual or perceived public health emergency without talking about specifics of an individual’s care or conditions. In the face of a question about a specific patient and that individual’s condition, it may be possible for the facility to provide useful and educational information about the specific issue at hand. In the long run, helping dispel myths and concerns may be more valuable than information about any particular individual.
A facility may also use or disclose protected health information in the face of a serious and imminent threat to the health or safety of an individual or the public. If such a situation exists, a written authorization is not necessary to use or disclose protected health information. Other uses and disclosures where authorization is not necessary include disclosures to a public health official, disclosures to family, friends or other involved in an individual’s care and certain limited directory information. As a bottom line though, healthcare facilities must remember that HIPAA, without an authorization, generally does not permit the use or disclosure of protected health information to a media outlet.
The second issue raised by the Ebola outbreak, namely the accessing of medical records by medical staff, provided yet another example of a common issue of HIPAA non-compliance. Under HIPAA, various medical staff members at a healthcare facility are entitled to access protected health information. Such access needs to be limited to what is necessary to perform a particular individual’s job duties. This means that an individual may not access any medical record maintained at a facility, but only the medical records for those patients that the individual is actively participating in the treatment of. In the case of an Ebola patient at a Nebraska hospital, a couple of hospital staff members not involved in that individual’s treatment looked at the Ebola patient’s medical record out of curiosity. This “snooping” is not permitted under HIPAA and resulted in the termination of those employees.
Proper education and training of employees at healthcare facilities can help to alleviate the potential for violations caused by snooping. Individuals need to be trained in order to understand the limits of what records may be accessed and how information must be protected. Additionally, appropriate sanctions policies should also be in place in the event that snooping does occur. The termination of employees from the Nebraska hospital offers a prime example of an appropriate sanctions policy. Inappropriate and general accessing of medical records cannot be permitted or encouraged and must be addressed as necessary.
In a somewhat surprising and fast reaction to the questions and issues arising from responding to Ebola, the Office for Civil Rights of the Department of Health and Human Services issued “New Guidance on HIPAA in Emergency Situations,” which offers assistance to healthcare facilities in maintaining HIPAA compliance. The guidance reiterates the requirements of the HIPAA Privacy Rule, but does provide examples of how protected health information may be used and disclosed in the face of a public emergency. For example, information can be shared with government agencies authorized to collect or receive information; healthcare facilities may also notify persons at risk of contracting or spreading a disease or condition, if allowed by some other law; to prevent a serious and imminent threat to the health and safety of an individual or the public; or limited information from a healthcare facility’s directory such as general condition may be released upon request if the individual is identified by name. When using and disclosing information, healthcare facilities should still keep the minimum necessary requirements in mind.
As can be seen, the concern about Ebola provided the opportunity for many lessons to inform future responses to public health dangers. The key for any future response is to understand rights and obligations under HIPAA of all involved from healthcare facilities to individuals. As with any situation, a comprehensive and accurate understanding of HIPAA’s requirements will help to a large degree. Additionally, education and training of employees is essential. It is hard to expect individuals to be compliant if they do not know the laws and regulations that they must be following. Accordingly, the healthcare industry should use this opportunity to learn from the Ebola response and take the time to develop plans for future responses.