The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allows for the disclosure of protected health information (PHI) without patient permission in public health emergency situations, such as the ongoing Ebola outbreak, according to a bulletin from the Department of Health and Human Services (HHS) Office for Civil Rights, released Nov. 10. The bulletin said the Privacy Rule “protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.” For example, covered entities may share PHI with public health authorities “for the purpose of preventing or controlling disease, injury or disability,” the HHS bulletin said. PHI also can be shared with foreign governments, as well as with individuals who might be at risk of infection or disease, all without patient permission. Allowable Disclosures The HHS bulletin outlines several other instances where PHI disclosures are allowed without patient permission, including when patients are undergoing treatment and the information is needed to improve coordination of care and when patients represent an imminent danger to public health. Disclosures also…
