How may a patient’s private health information be used during a health emergency?

In response to the Ebola outbreak, the United States Department of Health and Human Services’ Office for Civil Rights (OCR) has released a bulletin to clarify the ways in which patient information may be shared under the HIPAA Privacy Rule.

The bulletin reminds practitioners that although HIPAA protections are not set aside during an emergency, the privacy rule recognizes the legitimate need for public health authorities to have access to protected health information necessary to carry out a public health mission.

Thus, the HIPAA allows the disclosure of necessary protected health information without a patient’s individual authorization in the following circumstances:

  • To a public health authority (such as the CDC) that is authorized by law to collect such information for the purposes of preventing or controlling disease, injury or disability
  • At the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority
  • To persons at risk of catching or spreading a disease if other law (such as state law) authorizes such notification to prevent or control the spread of disease or to carry out public health interventions

The OCR also specifies other times when protected patient information may be shared, including when there is imminent danger to a person or the public, and when disclosures to the media are allowable.

Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.