If you encounter a patient that you suspect may have ebola, do you want to waste time wading through the HIPAA Privacy Rule to figure out whether you can report the matter to public health officials and, if so, under what conditions? Don’t think so, do you?
On its website, the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”), Civil Rights, Health Information Privacy, Frequently Asked Questions, gives guidance in this area. It notes that the Privacy Rule permits covered entities to disclose protected health information (“PHI”), without individuals’ authorization, to public officials responding to a bioterrorism threat or other public health emergency. Thus, covered entities may disclose PHI, without the individual’s authorization, to a public health authority acting as authorized by law in response to a bioterrorism threat or public health emergency (emphasis added).
In addition, to help you make the determination whether such a disclosure is proper, DHHS has provided on its website a decision tool, Disclosures for Emergency Preparedness—A Decision Tool.”
Parenthetically, the author, as an experienced trial lawyer, would rather err on the side of protecting the public from such a deadly disease than be concerned about being sued for a breach of confidentiality.