The Ebola virus' presence in the U.S. is surrounded by a complex web of legal and political issues in addition to the drastic health risks the virus poses. Most recently, disputes regarding states' individual Ebola protocols that impose more rigorous quarantine guidelines than those outlined by the Centers for Disease Control and Prevention have gained media attention, but other issues, such as the privacy rights of Ebola patients, also require careful consideration.
Federal laws like the Health Insurance Portability and Accountability Act combined with others make for a complex legal landscape, according to a recent article published in the JD Supra Business Advisor. The presence of the Ebola virus complicates the actions surrounding these laws however, as the level of information shared about the condition of an Ebola patient could have life or death consequences for the patient, his or her healthcare providers and the public.
The following list describes privacy issues associated with the Ebola virus, according to the article.
1. Patients' family and friends. At a certain point in the course of the Ebola virus, a patient will become incapacitated. In such cases, if the patient has not outlined specific instructions or authorization for who the healthcare providers should communicate information about his or her condition to, HIPPA requires healthcare providers to use their own judgment to determine whether communicating with an individual involved in the patient's care is in the best interests of the patient, according to the article. Furthermore, the information the healthcare provider passes on to a family member or friend should only contain information directly relevant to the individual's involvement in the patient's care. According to the article, state laws may determine who can receive information about the patient and make medical decisions on his or her behalf if the patient is disabled.
2. Healthcare facility employees. According to the article, employee snooping is a privacy risk, especially among high-profile patients. Furthermore, the use of EHRs makes accessing patient medical records even easier. The authors of the article suggest using the media presence surrounding an Ebola patient at a facility as a chance to remind hospital employees of their HIPAA responsibilities and that monitoring employee access to Ebola patient information is essential for maintaining privacy. Additionally, providing hospital employees with appropriate information regarding an Ebola patient will protect them from exposure and make them less likely to inappropriately access the patient's medical record.
3. The media. Media outlets are not covered by HIPAA mandates and are therefore not subject to HIPAA restrictions once they obtain information regarding an Ebola patient, according to the article. While HIPAA prohibits healthcare organizations treating Ebola patients from disclosing information on a patient's condition to the media without his or her consent, the articles' authors suggest organizations should seek authorization from the patient or the patient's representative for media coverage. While recognizing the risks involved in a significant media presence, the article acknowledges the media's role in preserving public health by providing timely and accurate information regarding infected patients.
4. Public health authorities. HIPAA regulations contain exceptions that permit healthcare organizations to share information regarding Ebola patients to state and federal public health authorities, such as the CDC and state and local departments of health, according to the article. However, these exceptions do not always clearly denote exactly who the healthcare organization should be disclosing information to. For example, by definition, HIPAA can divulge an Ebola patient's medical information to an agency or authority of the U.S. or state that is responsible for public health matters as long as this entity is authorized by the law to obtain this information as part of a disease controlling effort. While the purpose of the CDC is clearly to do this, other entities requesting information may not technically fall under the exception.