The HIPAA privacy rule and bioterrorism planning, prevention, and response

Abstract

Effective bioterrorism planning, prevention, and response require information sharing between various entities, ranging from public health authorities and health-care workers to national security and law enforcement officials. While the source of much information exchanged may be nonidentifiable, many entities legitimately need access to personally identifiable health information (or "protected health information" [PHI]) in planning for and responding to a bioterrorism event. The HIPAA Privacy Rule allows for essential exchanges of health data during a public health emergency while protecting against unnecessary disclosures of PHI. In the event of a bioterrorist attack, the Privacy Rule allows covered entities to disclose PHI without individual authorization in the following instances: (1) for treatment by health-care providers, (2) to avert a serious threat to health or safety, (3) to public health authorities for public health purposes, (4) to protect national security, (5) to law enforcement under certain conditions, and (6) for judicial or administrative proceedings. Despite these favorable disclosure provisions, some privacy challenges remain. The flow of PHI may be slowed by misunderstandings of the Privacy Rule's accounting requirement. In addition, in a bioterrorism scenario, nontraditional entities may find themselves acting as health-care providers, triggering Privacy Rule provisions. Finally, the potential for de facto disclosures of individuals' disease or exposure status increases where conspicuous treatment methods, isolation, or quarantine are implemented without additional measures to protect privacy. Understanding the Privacy Rule's impact on bioterrorism planning and response ensures that various entities can conduct their activities with needed information while still protecting individual privacy.