Since September, when Thomas Eric Duncan was first admitted to a hospital, Ebola-fever spread throughout the nation. Not the actual virus, although it did get passed along to eight more people, but the fear. Advice was shared, lawsuits threatened, and jobs lost. Many folks also noticed that the names and information of many of the Ebola victims were finding their way to the media, leaving many wondering if a HIPAA violation had been made.

No one has been found of wrong-doing, as of the time of this writing. But when journalists start tooting their own horn for preventing the spread of Ebola there are many wondering if they owe it all to journalistic sleuthing or if there was a bit more going on. William Maruca writes for HIPAA, HITECH, and HIT:

One web site, Gotnews.com explained in an Exclusive & Breaking report “After learning the address of the unnamed Ebola patient, Gotnews.com editor-in-chief Charles C. Johnson and researcher Shannon Knutsen cross referenced the address with a list of every known occupant.” This begs the question of how they learned her address.  Yahoo news claimed they identified Pham through ”public records and a state nursing database.”  Sounds like impressive detective work, but what additional data did they rely on to narrow down their search, and from what sources?

Resourceful journalists will follow leads, rumors and word-or-mouth reports, but if the sources were hospital personnel who revealed sufficient information about these patients to allow their identification when cross-referenced with public sources, they likely  crossed the line even if they did not reveal patient names, particularly if the leakers had knowledge that the information could be combined with other information to identify the individual.

Credit: Flickr user kokopinto
Credit: Flickr user kokopinto

No matter how they got their material, the Office of Civil Rights (OCR) did not let these issues go unnoticed. Earlier this week they released a bulletin regarding HIPAA in emergency situations with a friendly reminder that covered entities may disclose, without a patient’s authorization, protected health information [PHI] about the patient as necessary to treat the patient or to treat a different patient.” Essentially they’re saying that while some have a, as Maruca puts it, “HIPAA be damned” policy when it comes to outbreaks like Ebola, they won’t stand for it.

As Stephanie Willis summarizes for Privacy and Security Matters, some of the key bullet points for their bulletin were that people should ask themselves these questions before they shared the information: who wants the information, and for what purpose? How urgently do they need the information? And — perhaps most importantly — what information can be given about the patient, with or without patient’s consent?

As the OCR’s brief clearly states:

In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

Basically this is an official warning that in the future, OCR won’t take too kindly to individuals’ who are potentially exposed to a communicable disease having their information spread without valid reasons, no matter how fervently media outlets may ask for it. As Lynn Sessions and Scott Kroller write for Data Privacy Monitor, even in the face of Ebola healthcare providers and spokespeople should remember HIPAA and any other state guidelines:

Health care providers should also be mindful that state laws may further restrict the sharing of patient information, even in an emergency, and may not be pre-empted by HIPAA. If faced with treating an Ebola patient or other emergency situation, health care providers are encouraged to not only consult these HIPAA guidelines but to consider state law implications as well.

Of course as of this week the U.S. is Ebola free, so with any luck healthcare providers won’t have to brush up on this for a while.