Why Ebola News isn’t a HIPAA Privacy Violation

These are some scary times – right now there is a huge outbreak of the Ebola virus in Africa (just in case you were living under a rock), and our first case was diagnosed in Dallas, TX.

Wait, isn’t the release of this information a HIPAA Violation?

Well actually, no. See, HIPAA isn’t here to stop the flow of information; it’s here to stop the flow of Protected Health Information into the wrong hands.

There are provisions in the HIPAA Law that require doctors to release information about patients with communicable diseases like the flu and Ebola(a viral hemorrhagic fever) to the Centers for Disease Control, or CDC.1 That’s how we get those great flu outbreak charts every year. There is a huge list of diseases that are reportable to the CDC here.

Some notifications are required to be sent in writing, like the flu, chickenpox, etc. The scary ones, like Ebola, anthrax, and smallpox, require that the CDC be immediately notified by phone; and rightfully so! This helps the CDC mobilize resources and prepares surrounding hospitals and healthcare workers to know what they are dealing with. These notifications do not require patient authorization! The CDC also has the prerogative to release any patient information they think is required to protect the public. I think we can all agree this is a good thing, and it is definitely for the greater good.

When it comes to the identity of the Ebola patient in Dallas, it was released by the family, not the CDC. This is not a HIPAA violation, since the family is not a Covered Entity, Business Associate, or Business Associate Subcontractor. The release of the patient’s name was a family decision, and hopefully they conferred with the patient before this release. Regardless of their motives, they are allowed to release any information they would like; the arbiter is taste. International attention and the need to contain a virulent disease have created new questions about Privacy Rights versus the public’s right to know.

Now, this doesn’t mean that patient privacy rights go out the window when diagnosed with one of these terrible diseases. The other medical information in the patient’s record is still off limits. This means you still have a duty to protect that patient’s privacy in all other aspects.

One of the American aid workers who contract Ebola was in treatment in Omaha, NE hospital, and two employees, not directly involved in his care, decided to read his chart. They were fired for unauthorized access to the patient’s medical records.

This is great example of how HIPAA is there to protect your privacy, even in the face of a horrible disease.

Updated November 10, 2014

HHS has released a document that highlights what kinds of disclosures are allowed by HIPAA.

1. 45 CFR 164.512(b)(1)(iv)

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2024

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document

Related Posts

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)