This question has arisen in recent months during the Ebola scare. Can a health care facility give out protected data without the patient's permission if it concerns public health? The U.S. Department of Health and Human Services' Office of Civil Rights (HHS OCR) recently addressed that question in a special bulletin. The bulletin was sure to remind health care providers that "the protections of the Privacy Rule are not set aside during an emergency." However, "appropriate uses and disclosures" are permitted when necessary. Consider some of those necessary situations covered under HIPAA provisions.
- To Provide Treatment. Private health care data may be shared when necessary to treat the patient or another patient. For example, other health care professionals may need to know the patient's medical history in order to provide consultation on treatment.
- To Notify Public Health Authorities. Information about an emergent public health risk needs to be shared with those responsible for public health and safety. HIPAA privacy law allows for this data to be shared with the Centers for Disease Control and Prevention (CDC), foreign health authorities, and local and state health departments. A common example of this allowance is the reporting of births and deaths to the state authorities.
- To Notify Persons at Risk. If state law allows it, HIPAA has provisions authorizing covered entities to notify family or other persons who may be at risk.
- To Provide Notification. Providers are permitted to share protected data, including notifications of health status, with persons identified by the patient, such as family and friends. This provision may also be used to notify the police, press or public when that action is deemed necessary to identify, locate or notify a patient or family member. It's preferable that health care providers at least get verbal permission to use this means of notification. However, when a patient is unable to communicate, health care providers must use their best professional judgement.
While HIPAA provisions allow for the release of protected data, it is under the principle of "minimum necessary," meaning providers must only release the specific data necessary to accomplish the purpose. In the case of data requested by a public health authority, such as the CDC, health care providers can assume the requested information is the minimum necessary.
Allpoint Compliance Solutions is changing the way providers and health care facilities approach HIPAA compliance. Our easy-to-use portal provides the perfect guide. Contact us to learn more.