There has been a swell in conversation surrounding health practitioners' approach to securing data in recent cases. While avoiding HIPAA violations should be a priority for all medical centers, there's at least one situation when protected data can and should be shared: public health emergencies. If there's a current threat, then the government can suspend the need for permission, but it's more complicated than a simple order.
In a bulletin from the Department of Health and Human Services (HHS), the government agency recently explained the different circumstances in which HIPAA-covered entities can disclose information. Due to the current spread of Ebola, the government noted the need for certain participating centers to observe best practices when releasing personal data.
Although it says that the Public Health Department doesn't actually suspend HIPAA rules during emergencies, this bulletin does list some of the situations where disclosures are permissible, including when patients are in imminent danger or if relatives are implicated in the treatment of a certain condition.
However, even in these cases, entities should be careful about exactly what they reveal.
"For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the 'minimum necessary' to accomplish the purpose," the bulletin reads. "Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose."
Since some have already linked improper use of electronic records to the Ebola outbreak, any medical practitioner trying to adhere to HIPAA law needs to understand the distinctions between different situations and have the necessary response ready for all scenarios.