Hospitals, MedCity Influencers

Ebola and patient privacy: Is your hospital prepared?

Ebola has reached the US, and hospitals across the country are preparing for the potential […]

Ebola has reached the US, and hospitals across the country are preparing for the potential that patients will need to be screened and treated. Your hospital may have considered issues such as how to prevent the virus from spreading and how to identify patients who have, or may have, Ebola. Has your hospital, however, considered how to protect the privacy of these patients? Understanding your hospital’s obligations to protect patient privacy is important, as a violation could trigger significant consequences, such as monetary fines and investigation by the federal government.

Unlike with respect to addressing infection control considerations, hospitals’ privacy and security obligations are the same for all patients, regardless of whether they have, or may have, Ebola. When addressing the health care needs of a potential Ebola patient your hospital must continue to comply with the federal and state laws and rules that govern patient privacy, including the Health Insurance Portability and Accountability Act. HIPAA requires hospitals in the US to maintain the confidentiality, integrity and availability of its patients’ protected health information by:

  1. Limiting how hospitals may use and disclose PHI
  2. Establishing patient rights regarding their PHI

The greatest Ebola-related privacy risk to your hospital is the impermissible disclosure of, access to, or use of the PHI of patient who has, or may have, Ebola. Media coverage of the Ebola outbreak may mistakenly cause your workforce members, including your employees, volunteers and trainees, to believe that it is permissible to freely disclose information about patients who have, or may have Ebola. Fear or curiosity may lead them to impermissibly access the information your hospital maintains about these patients. If your workforce members take such actions without a legitimate treatment reason to do so, your hospital may be in violation of HIPAA, as well as similar state laws.

As your hospital prepares for the possibility of treating a patient who has, or may have, Ebola, remind your workforce members of their obligations under HIPAA. For example, workforce members must never share the PHI of a patient (with or without Ebola) unless he/she is permitted to do so, such as with another workforce member who is treating the patient. Workforce members must also never access a patient’s PHI unless he/she requires the information to treat the patient (or, in some cases, another patient of the hospital) or perform some other administrative function that falls within the scope of the workforce member’s job description. Your hospital must also be prepared to take necessary actions if a violation occurs. In this regard, consider the case of two employees at Nebraska Medical Center who were fired in September for inappropriately accessing the electronic medical records of Dr. Rick Sarca, a physician being treated at the medical center after he contracted Ebola while providing aid in Liberia.

While there are many prohibitions against the use or disclosure of PHI, your hospital is permitted under HIPAA to make non-treatment related disclosures of PHI in specified, limited circumstances. Among these exceptions to HIPAA’s general prohibition against disclosure of PHI, your hospital may disclose PHI:

  • For treatment or payment purposes
  • To a public health authority authorized by law to receive the information for purposes of preventing or controlling disease
  • To a person who may have been exposed to a communicable disease or who may otherwise be at risk of contracting or spreading a disease or condition, if your hospital is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation

Your hospital may disclose the identity of an Ebola patient to the CDC. Your hospital may also notify individuals who may have come into contact with the Ebola patient and are at risk of contracting the virus themselves. Importantly, this latter permission does not allow your hospital to disclose the identity of the Ebola patient to the media. Absent one of these circumstances, your hospital is generally prohibited from disclosing information about an Ebola patient unless the patient (or the patient’s personal representative) has signed a valid HIPAA authorization allowing you to do so.

If your hospital uses or discloses the PHI of a patient (with or without Ebola) in violation of HIPAA, it may incur significant monetary penalties, which may amount to several millions of dollars. Given the media attention Ebola has drawn, any violation related to HIPAA may increase the risk that the Office for Civil Rights, the government agency responsible for enforcing HIPAA, will conduct an investigation of your hospital, which will increase the risk and severity of penalties.


Brad Rostolsky and Jennifer Pike

Brad Rostolsky is a partner in the Life Sciences Health Industry Group in Reed Smith’s Philadelphia office. With a focus on healthcare regulatory and transactional law, he leads the LSHI group’s HIPAA and Health Privacy & Security Practice. Rostolsky has extensive experience advising clients on all aspects of health information privacy and security compliance in all areas of the health care industry.
Jennifer Pike is an associate in the Life Sciences Health Industry Group in Reed Smith’s Washington, DC, office. Her practice focuses on health care law, including regulatory compliance and enforcement matters, with a specific emphasis on entities regulated by the FDA.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares0
Shares0