OCR guidance addresses patient privacy during emergencies

New guidance from the Office of Civil Rights (OCR) reminds covered entities and their business associates that HIPAA privacy protections are not suspended during an emergency.

With the Ebola outbreak top of mind for many aid workers, OCR wrote that this group can release public health information without a patient's authorization as required to treat a patient "or to treat a different patient," including for the coordination of care among providers.

"The HIPAA Privacy Rule protects the privacy of patients' health information [protected health information (PHI)], but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation's public health and for other critical purposes," according to the guidance.

Information may be released to public health authorities, to foreign government agencies working with that public health authority or to people at risk of contracting or spreading a disease, OCR says. The guidance also approves of the release of PHI to relatives and friends when trying to locate and notify family members of a patient's condition or death and when doing so would lessen a serious or imminent threat.

For most cases, however, the information disclosed must be limited to the "minimum necessary to accomplish the purpose," according to the guidance. That doesn't apply to disclosures related to treatment, however.

As for responding to the media about a named individual, organizations can only say whether that person is being treated at their facility and give the patient's condition. Any comments about specific tests or treatments are prohibited without the patient's written consent, according to the guidance.

Read the guidance.