HIPAA in the Time of Ebola

Lawrence Tabas
Obermayer Rebmann Maxwell & Hippel LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ebola has recently been the source of much concern, and health care providers and hospitals are taking steps to prepare themselves for the possibility of treating patients with Ebola. In addition to all of the medical preparations underway, covered entities and business associates must also continue to be aware of the protections in place that limit the uses and disclosures of a patient’s protected health information (“PHI”), even in an emergency situation. The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), recently released a bulletin to provide guidance to covered entities and business associates about the ways in which PHI may be shared in an emergency under the HIPAA Privacy Rule. As the OCR emphasizes in its bulletin, the “protections of the Privacy Rule are not set aside during an emergency.”

Some highlights from the bulletin are as follows:

  • Treatment – Covered entities may disclose PHI without patient authorization for “treatment” as defined by HIPAA.
  • Public Health Activities – Covered entities may disclose PHI without patient authorization to a public health authority that is “authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.” A public health authority would include the Centers for Disease Control and Prevention (“CDC”) or a state or local health department.
  • Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification – A covered entity may “release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released).” Unless a covered entity has received a patient’s written authorization, it may not disclose specific information (e.g. tests, test results, illness details) to the public or media.
  • Minimum Necessary – Covered entities must follow a minimum necessary standard when disclosing PHI. That is, “a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose.” If a covered entity is contacted by the CDC with a request for PHI, the OCR states that it is acceptable for the covered entity to assume that the information requested is the minimum necessary for the CDC’s purpose.
  • Business Associates – Before making any disclosures of PHI, business associates should review their business associate agreements. Business associates may only make disclosures of PHI as permitted by their business associate agreements.

This post is only intended to be a short summary of the OCR’s bulletin. A copy of the bulletin is available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Obermayer Rebmann Maxwell & Hippel LLP

Written by:

Obermayer Rebmann Maxwell & Hippel LLP
Obermayer Rebmann Maxwell & Hippel LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Obermayer Rebmann Maxwell & Hippel LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide