Daniel Solove writes:
One of the things that struck me about the Ebola cases at Dallas Presbyterian Hospital was that all of the Ebola victims were named almost immediately. How could this happen? In all the swirling news coverage, I was struck by the fact that few were asking the question: Why were all of these individuals identified? Under HIPAA, state law, and medical ethical rules, healthcare providers owe a duty of confidentiality to patients, especially people infected by Ebola, where they can be subject to intense media scrutiny and their families can also be put under the hot glare of the spotlight.
Apparently, the Liberian government outed Thomas Duncan as the initial Ebola patient at the hospital. But it remains unclear who disclosed the identities of the two nurses who contracted Ebola while treating Duncan.
Read more on LinkedIn. As always, Dan provides a thoughtful analysis of important questions.
From the bit of digging I had done into the question as to who identified the two nurses, it appeared that some of it was investigative work by media that was confirmed by family members in one of the cases. If you know/see an apartment building being searched, it’s probably not too difficult a task to match the names of residents against the names of the employees who treated Duncan, and his family had given reporters his medical records.
Assuming, for now, that the hospital did not identify any of the employee-patients, there are still questions as to how much information they can disclose under HIPAA, unless the patients agree to the disclosure.
But how much of HIPAA restrictions fall by the wayside once public health officials are notified and make their own determination of need to know/need to disclose?
I think the public believes that it has a right to know and need to know because ebola can be life-threatening. By keeping the public informed, public health officials and the hospital(s) involved may prevent public panic. But what if the patients die and the hospital hasn’t kept the public apprised? Will there be greater panic?
This is a tough one. What if a patient is so ill that they cannot provide investigators with a recounting of where they’ve been and whom they’ve had contact with? Would that justify public health authorities posting a picture of the person and saying, “If you’ve been in contact with this person, please call us?” I don’t think so, but I can see where others might come to a different conclusion.