HHS Releases HIPAA Guidance on Ebola, Other Public Health Emergencies

Federal health privacy officials have issued new guidance on managing patient privacy rights in the middle of public health crises such as the emergence of Ebola in the US.

When a civilian Ebola patient and American healthcare workers exposed to the disease returned to the US from West Africa this fall, HIPAA violations, provoked by widespread fear of infection, led to broken protocols. For example, two hospital workers in Nebraska were fired for illegally accessing the EHR of an Ebola patient being treated in their facility.

In guidance released to HIPAA-covered entities and their business associates this month by the US Department of Health and Human Service’s Office for Civil Rights, officials called for the industry to be “aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.

The statement covered guidelines for sharing patient health information (PHI) for the purposes of treatment; to public health authorities; to family, friends, and others involved with a person’s care; in the event of imminent danger; and disclosures to the media.



Since a key to containing Ebola is timely notification to individuals who’ve been exposed to it by contact with an infected individual, it’s important that providers and HIM professionals are aware of what HIPAA says in these scenarios. The guidance reiterates that HIPAA allows covered entities to disclose PHI about a patient, without their authorization, to treat another person, and alert public health authorities, and to alert people at risk.

The guidance does take care to note that covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.

However the HHS Secretary has the power to waive certain HIPAA and Social Security Act provisions if the President declares a public health emergency. The Secretary may then waive sanctions and penalties against hospitals that don’t comply with the HIPAA provisions:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications


Click here to read the whole document.


Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!