Keep HIPAA practices in mind in face of Ebola

As the Ebola virus continues to make headlines in the U.S., hospitals must be prepared to protect potential patients' privacy, or face millions of dollars in fines as well as a government investigation, according to an article in MedCity News.

Hospitals must continue to observe federal and state privacy laws, regardless of whether or not their patient have Ebola, said authors Brad Rostolsky and Jennifer Pike. Health Insurance Portability and Accountability Act (HIPAA) laws mean employees, volunteers and trainees must remain silent about patients who may have Ebola, even in the face of media pressure.

Train your workforce to never share a patient's protected health information (PHI) unless permitted to do so, and never access that information unless it's required to treat the patient, according to the authors. If a violation does occur, hospitals must be prepared to discipline involved workers appropriately. For example, Nebraska Medical Center fired two employees in September after they inappropriately accessed the electronic medical records of a patient being treated for Ebola.

The only times it's acceptable to disclose a patient's PHI is for treatment or payment purposes, to a public health authority for purposes of controlling the disease, or to a person who may have been exposed to a communicable disease who is at risk of spreading it, according to the Department of Health and Human Services.

"Absent one of these circumstances, your hospital is generally prohibited from disclosing information about an Ebola patient unless the patient (or the patient's personal representative) has signed a valid HIPAA authorization allowing you to do so," Rostolsky and Pike write in the MedCity article.

To learn more:
- here's the article
- read the HHS guidelines