Operations, Patient Care

Clarifying HIPAA & Disclosure of Disease Information

Case 1: It’s 3 a.m. on a Saturday night and you_re en route with a patient in the back of the ambulance. When the patient becomes combative, you_re not able to trigger the safety device and are stuck with a contaminated needle. Your designated officer for infection control reports the exposure to the medical facility and requests source patient testing. The designated officer is told the results can’t be released because of HIPAA.

Case 2: Your crew is instructed to transport a patient from the prison infirmary to the local hospital. You note that the infirmary staff is wearing masks but nothing is said to your crew. When you ask the diagnosis of the patient, you_re told that the information can’t be revealed due to HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, directed the U.S. Department of Health and Human Services (HHS) to issue privacy regulations that set standards to govern individually identifiable health information. The Privacy Rule developed by HHS went into effect for most entities subject to the law (i.e., “covered entities”) on April 14, 2003. Following implementation of the Privacy Rule, a great deal confusion has persisted within medical facilities regarding the sharing of source patient test results following an exposure event. Some medical facilities have refused to provide the test results of source patients involved in exposures because they believe such disclosure would violate HIPAA. Such refusals on the part of medical facilities are inappropriate and represent a misinterpretation of the Privacy Rule.

The Privacy Rule protects all ‘individually identifiable health information’ held or transmitted by a covered entity. This information is referred to as “protected health information” (PHI). It includes information regarding the individual’s health condition, the provision of health care to the individual, or payment for the provision of health care to the individual if the information identifies the individual or there_s a reasonable basis to believe it can be used to identify the individual. The individual’s written authorization is required for any use or disclosure of PHI that is not for treatment, payment, or healthcare operations or otherwise permitted or required by the Privacy Rule.

However, the Privacy Rule does not prohibit disclosure of PHI in all circumstances. Recognized exceptions include the issue of a medical facility disclosing source patient testing. A covered entity (e.g., a medical facility) is permitted to disclose PHI without an individual_s authorization to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law [45 CFR Section 164.512 (a)]. One of the “required by law” categories in the Privacy Rule is “Uses and Disclosures for Public Health Activities.” The following use and disclosure is specifically authorized:

“A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.” [45 CFR 164.512 (b)(1)(iv).]

Medical facilities clearly are required by law to provide source patient test results in exposure incidents. The Ryan White Law, a federal law (PL 101-381), mandates that source patient test results be provided to the designated infection control officer (DICO) of the emergency response employee involved in an exposure incident. The medical facility to which the source patient involved in the exposure was transported has the legal obligation under this law to provide source patient test results following notification of the exposure by the DICO. The DICO then has the obligation to inform the exposed employee of the source patient test results.„

In addition, the OSHA Bloodborne Pathogens Standard (29 CFR 1910.1030), also a federal law, provides that the employer of an employee involved in an exposure incident must obtain the results of the source individual’s testing and make this information available to the exposed employee.

It’s clear, therefore, that in the event of a bona fide exposure, medical facilities are authorized under HIPAA to disclose source patient test results pursuant to the Ryan White Law and the OSHA Bloodborne Pathogens Standard. Such disclosures are no different than disclosures made to state public health officials pursuant to state notifiable disease laws. In the opening scenario, the DICO should give a copy of this information to the emergency department staff. It’s clear that source patient test results are to be released to the DICO.

Confusion has also persisted regarding the role of medical facilities in the sharing of tuberculosis diagnosis information. This issue is important to clarify because the practice of standard precautions does not include the routine procedure of masking the patient for transport with a surgical mask. The rules for bloodborne disease and airborne disease are very different. In November 2005, the Centers for Disease Control and Prevention (CDC) published a document entitled “Controlling Tuberculosis in the United States” that included the following statement:

“HIPAA also recognizes the legitimate need for public health authorities and others responsible for ensuring the public’s health and safety to have access to personal health information to conduct their missions and the importance of public health disease reporting by health-care providers. HIPAA permits disclosure of personal health information to public health authorities legally authorized to collect and receive the information for specified public health purposes. Such information may be disclosed without written authorization from the patient. Disclosures required by state and local public health or other laws are also permitted. Thus, HIPAA should not be a barrier to the reporting of suspected and verified TB cases by healthcare providers, including health-care institutions.”

In addition, the CDC published updated TB guidelines in December 2005, which OSHA is enforcing. In the guidelines, medical facilities are reminded that “EMS personnel should be included in the follow up contact investigations of patients with infectious TB disease. The Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381) mandates notification of EMS personnel after they have been exposed to a patient with suspected or confirmed infectious TB disease.” Here, it’s clear that it’s the responsibility of the medical facility to notify the DICO directly if there has been an exposure.

Medical facilities refusing to provide this information may not be aware of the Ryan White Law and the exception to providing this information contained in the HIPAA law. The DICO and a member of administration from your department should schedule a meeting with the medical facilities risk manager, head of the emergency department and the infection control practitioner to review this issue. Minutes of the meeting should be taken to document the discussion and the agreed to results. If non-compliance continues or is not agreed to, then OSHA may be called to report this violation and, for exposures involving emergency responders, to Dr. Gomma, who is in charge of the administrative aspects of the Ryan White Law. Dr. Gomma can be reached at 513/841-4337.

Katherine West, BSN, MEd, CIC, is an infection control consultant with Infection Control/Emerging Concepts Inc. Contact West at„[email protected].

James R. Cross, JD, is an attorney who covers regulatory and legislative issues for Control/Emerging Concepts Inc.


  1. Centers for Disease Control and Prevention: ˙The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.Ó April 2, 2001.
  2. IV. Final Regulatory Impact Analysis, 5U.SC.804(2)- Public Law 104-21.
  3. Occupational Safety and Health Administration: ˙CPL 2-2.69, Compliance Directive, Occupational Exposure to Bloodborne Pathogens.Ó November 27, 2001.
  4. Centers for Disease Control and Prevention, Department of Health and Human Services: ˙Ryan White Comprehensive AIDS Resources Emergency Act; Emergency Response Employees; Notice.Ó Federal Register. March 21, 1994.
  5. Centers for Disease Control and Prevention: ˙Controlling tuberculosis in the United States.Ó MMWR. 54(RR12):1-81, 2005.
  6. Centers for Disease Control and Prevention: ˙Guidelines for preventing the transmission of mycobacterium tuberculosis health-care settings, 2005.Ó MMWR. 54(RR17):1-141, 2005.„