Personal Health Information & Ebola
Recently, Fox Rothschild LLP
published a blog
questioning the continuous stream of information shared about Ebola patients Thomas Eric Duncan and his former nurse Nina Pham. The blog author brings up a great point: amid all of the Ebola chatter, has anyone stopped to think, "How are we getting all of this personal health information?"
It sounds like most of the information on Duncan has been shared by his family members, a nephew and his mother, according to the blog. While his family isn't restricted by HIPAA as covered entities and business associates are, the vast amount of detailed medical care, "hundreds of pages of medical records," shared in an Associated Press article has some questioning whether or not the family should even have access to all of this information. Citing HIPAA Regulation section 164.502(g)(4), the blog explains that Duncan's family should only have access to his medical records if an "executor, administrator, or other person has authority to act on behalf of a deceased individual." Perhaps the executer obtained the reams of medical records legally and shared it with other members of the family, but it does lead healthcare providers to wonder.
Pham's eventual discovery is a bit more suspect, according to the blog, as media reporters and researchers deduced her identity after cross-referencing her known address with public records and nursing databases. The blog goes on to postulate: "if the sources were hospital personnel who revealed sufficient information about these patients to allow their identification when cross-referenced with public sources, they likely crossed the line even if they did not reveal patient names, particularly if the leakers had knowledge that the information could be combined with other information to identify the individual."
Of course, the CDC's and other covered entities' need to disclose PHI in order to notify those at risk of contracting or spreading Ebola might account for the continued spread of information via family and friends. But that PHI continues to find its way into media reports, which should be raising some eyebrows.
Identifying and treating patients with communicable diseases is no doubt an extremely difficult task ... but as the blog concludes, "the rules don't change because of controversial, highly dangerous diseases." Some of this PHI may have been shared without any HIPAA violation; yet some of it might have.
While your facility prepares for Ebola with safety and protocol training, are you thinking about PHI too?