HIPAA and Ebola: OCR Issues Bulletin

In light of the recent Ebola outbreak and other recent events, the Office of Civil Rights (OCR) recently released a bulletin to remind providers of the ways in which the HIPAA Privacy Rule allows Protected Health Information (PHI) to be shared in emergency situations.

The bulletin serves as a reminder of the following HIPAA permissible uses and disclosures and exceptions:


  1. The bulletin reminds providers that they can always disclose PHI for treatment purposes including consultations and referrals.
  2. Public Health Activities. The bulletin reminds providers of the various situations where PHI may be disclosed for public health activities, including:
    1. To a public health authority (e.g., to report to the CDC or a state or local health department that is authorized by law to receive the information for the purpose of preventing/controlling disease);
    2. At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority; and
    3. To persons at risk of contracting or spreading the disease or condition if authorized by other law (e.g., by state law)
  3. Disclosures to Family Friends and Others Involved in Patient’s Care. PHI may be disclosed to friends or family members who are involved in the individual’s care.  For such disclosures, the patient must be given the opportunity to object unless the provider can infer from the circumstances that the patient does not object.  If the patient is incapacitated or otherwise unavailable to object, the provider may share information if in their professional judgment they determine that doing so is in the patient’s best interest.  A provider may also share PHI with disaster relief organizations (e.g., American Red Cross) for purposes of notifying the family of the patient’s location or death.
  4. Imminent Danger. Providers may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law (e.g., state law) and ethical standards.
  5. Release of Facility Directory Information. The bulletin reminds hospitals and health care facilities that in response to a request for information about a patient by name, the hospital or health care facility may release limited facility directory information to acknowledge that the patient is in the facility and the patient’s condition in general terms (e.g., critical/stable/deceased/treated and released).  This information can be released only if the patient has not objected to the release of such information (or if the patient is incapacitated and the disclosure is thought to be in the best interests of the patient and consistent with the patient’s prior expressed preferences).
  6. Disclosures to Media Prohibited. The bulletin reminds providers that, other than the permissible directory disclosures described above, specific information about a patient cannot be disclosed to the media (including information about test results or details of a patient’s illness).
  7. The Minimum Necessary Rule. The bulletin also reminds providers that all disclosures described in the bulletin, other than those for treatment purposes, must be made in compliance with the minimum necessary rule, i.e.., information must be limited to that which is the “minimum necessary” to accomplish the purpose.  Providers may rely on public health authorities or public health officials that requested information is the minimum necessary.

The bulletin also notes that the Secretary of HHS may waive certain provisions of the Privacy Rule if the President declares an emergency or disaster and the Secretary of HHS declares a public health emergency.

Speak Your Mind