In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies in emergency situations. The guidance attempts to strike a balance between preserving patients’ privacy rights and the need to disseminate information to protect public health.

HIPAA has always permitted certain disclosures of patient health information when necessary to treat a patient or as necessary to protect the nation’s public health. For example, HIPAA allows the disclosure of protected health information without individual authorization to a public health authority, such as the Centers for Disease Control and Prevention (“CDC”), a local health department, or persons at risk of contracting or spreading disease. Recently, the Ebola epidemic in Africa and the first confirmed case of Ebola in the U.S. have put a spotlight on these privacy issues.

To help guide covered entities, the HHS bulletin provides additional clarification on the permitted uses of protected health information in emergency situations. For example, HHS reiterates that health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Along those same lines, HHS explicitly allows the disclosure of protected health information to disaster relief organizations such as the American Red Cross. While HHS generally recommends getting patient permission, the covered entity need not obtain permission if doing so would interfere with the disaster relief organization’s ability to respond to the emergency.   Read More>>