Ebola Brings HIPAA to the Forefront
By Joyce Frieden, News Editor, MedPage Today -- http://www.medpagetoday.com/PublicHealthPolicy/PublicHealth/48085

When does the safety of many trump the privacy of one? That is the challenge to the Health Insurance Portability and Accountability Act (HIPAA) in the age of Ebola.

Passed in 1996 amid a storm of controversy from the very beginning, HIPAA critics of all ideologies panned the law, which set out rules for protecting the privacy of patient health records, according to Daniel Solove, JD, of George Washington University in Washington.

"Privacy advocates were disappointed that HIPAA allowed many uses and disclosures of information without patient consent," Solove, who is also the founder of TeachPrivacy, a privacy/data security training company, wrote last year in the Journal of AHIMA, published by the American Health Information Management Association.

On the other hand, "doctors complained that they wouldn't be able to have office sign-in sheets or speak to family members about each other's health. There was fear and confusion," he noted.

Eventually, much of the confusion was sorted out. But HIPAA breaches continue to occur, according to the Department of Health and Human Services (HHS).

Violations on the Increase

For example, in 2013, HHS received reports of 12,915 potential HIPAA violations. That contrasts with 6,534 violations reported in 2004, a number which gradually increased -- except for a one-time dip in 2009 -- to 10,454 in 2012 and then to nearly 13,000 a year later.

Also in 2013, the agency said it resolved 14,300 HIPAA complaints (some of which likely had been received in prior years); of those, 69% were listed as "resolved after intake and review," 24% had "corrective action obtained," and 7% were determined to not involve any violation.

Now, as concern about Ebola reaches a fever pitch, a HIPAA violation has popped up in Nebraska, where two hospital employees were fired in September for looking at an Ebola patient's medical records in violation of the rule, according to media reports.

And a HIPAA-related question is emerging: do HIPAA-endowed privacy rights trump the public's need to know about a patient with a communicable disease?

For instance, very little information is known about an Ebola patient currently being treated at Emory University in Atlanta, including the patient's name or condition.

"We are still treating the patient with Ebola virus disease at Emory University Hospital, but we do not have a condition update," Emory representatives told CNN on Oct. 6. The patient is apparently a physician who was infected in Sierra Leone, where he was working for the World Health Organization.

Patients Can 'Opt Out'

In Dallas, where one patient, Thomas Eric Duncan, died from the disease, officials at Texas Health Resources, owner of the hospital where Duncan was treated, issued a news release Monday noting that "Patient privacy regulations govern what information hospitals (known as 'covered entities') may release about a patient."

The release explains that patients have the option of being a "No Information Patient" or of "Opting out of Directory Information." In those cases, "no information can be shared about the patient with the general public who may call or ask about the patient. ... This includes confirming that the person is a patient."

However, the release added that "organizations and individuals that are not 'covered entities' may not have the same restrictions and may be able to disclose information about an individual who is a patient."

Michelle De Mooy, deputy director for consumer privacy at the Washington-based Center for Democracy and Technology, said that in the case of Ebola exposure, "only a covered entity (normally an employee is designated to do this) that is authorized to prevent or control the migration of the disease can let someone know if they have been exposed to the disease through contact or shared space with the infected person."

So "when the hospital workers in Nebraska looked at the records of the doctor with Ebola, they still violated HIPAA, but when the 'hospital' officially announced the negative test results of a deputy sheriff in Dallas who was tested for Ebola, they did not," she told MedPage Today in an email. "My guess is their explanation for publicly announcing this would be to keep the community from panicking."

As for the unnamed patient at Emory, if he or she did not agree to any disclosure, "Emory is restricted to reporting the patient's condition but nothing else," as opposed to the Dallas hospital that was treating Duncan, who had been talking to the press voluntarily, De Mooy said.

She added, however, that "The public's right to know in the context of public health does trump HIPAA, by design -- the Privacy Rule allows authorities to warn anyone who might have come into contact with the patient -- this is in the best interest of all parties."

Reasons for Maintaining Privacy

Deven McGraw, JD, LLM, a partner in the healthcare and privacy groups at the Manatt, Phelps and Phillips law firm in Washington, pointed out that Emory might have very good reasons for not broadcasting information about its Ebola patient. "If their information was broadcast to the public, it could put them in danger," she told MedPage Today in a phone interview.

"Second, what are the incentives to present yourself for care if the downsides to doing so are that you're going to be made a pariah and your condition will be broadcast to the world? If you create a disincentive for people to come in and be tested ... so they can be isolated and quarantined, we've got a bigger problem on our hands."

Overall, "the language in HIPAA strikes the right balance, but it does leave a fair amount to the interpretation of the covered entity involved," she said.

Art Caplan, PhD, director of the medical ethics division at the NYU Langone Medical Center in New York City, said patients' names weren't necessarily that important to know, "but we need more than we are getting."

"If the authorities want to retain public confidence, which the events in Dallas are threatening to undermine, then the usual privacy provisions must be stretched a bit to give more insight into what is going on with Ebola patients, those exposed, and the staff," he wrote in an email.

De Mooy agreed. "With Ebola, I think the message from officials has been confusing for the public -- for example, the CDC director first saying he was confident we would stop the outbreak, then saying Ebola could be our next AIDS, then abruptly tamping down the message after political pressure," she said.

"The media has also had a hand in hyperbolizing the issue by feeding it to the 24-hour news cycle. So people aren't sure whether to be scared or not, and, in my opinion, the key is to just give the public accurate information (what's happened, what's being done, what is next) as often as possible and as visibly as possible."