Why Ebola News isn’t a HIPAA Privacy Violation

These are some scary times – right now there is a huge outbreak of the Ebola virus in Africa (just in case you were living under a rock), and our first case was diagnosed in Dallas, TX.

Wait, isn’t the release of this information a HIPAA Violation?

Well actually, no. See, HIPAA isn’t here to stop the flow of information; it’s here to stop the flow of Protected Health Information into the wrong hands.

There are provisions in the HIPAA Law that require doctors to release information about patients with communicable diseases like the flu and Ebola(a viral hemorrhagic fever) to the Centers for Disease Control, or CDC.1 That’s how we get those great flu outbreak charts every year. There is a huge list of diseases that are reportable to the CDC here.

Some notifications are required to be sent in writing, like the flu, chickenpox, etc. The scary ones, like Ebola, anthrax, and smallpox, require that the CDC be immediately notified by phone; and rightfully so! This helps the CDC mobilize resources and prepares surrounding hospitals and healthcare workers to know what they are dealing with. These notifications do not require patient authorization! The CDC also has the prerogative to release any patient information they think is required to protect the public. I think we can all agree this is a good thing, and it is definitely for the greater good.

When it comes to the identity of the Ebola patient in Dallas, it was released by the family, not the CDC. This is not a HIPAA violation, since the family is not a Covered Entity, Business Associate, or Business Associate Subcontractor. The release of the patient’s name was a family decision, and hopefully they conferred with the patient before this release. Regardless of their motives, they are allowed to release any information they would like; the arbiter is taste. International attention and the need to contain a virulent disease have created new questions about Privacy Rights versus the public’s right to know.

Now, this doesn’t mean that patient privacy rights go out the window when diagnosed with one of these terrible diseases. The other medical information in the patient’s record is still off limits. This means you still have a duty to protect that patient’s privacy in all other aspects.

One of the American aid workers who contract Ebola was in treatment in Omaha, NE hospital, and two employees, not directly involved in his care, decided to read his chart. They were fired for unauthorized access to the patient’s medical records.

This is great example of how HIPAA is there to protect your privacy, even in the face of a horrible disease.

Updated November 10, 2014

HHS has released a document that highlights what kinds of disclosures are allowed by HIPAA.

1. 45 CFR 164.512(b)(1)(iv)

Sharing is caring!