Ebola’s latest victim: privacy

If you value your medical privacy, try not to get Ebola.

Nina Pham, the nurse who contracted Ebola while caring for a Liberian man who died from the virus, was a willing participant yesterday when her doctor in Dallas showed up with a video camera.

News media has, basically, thrown the book out the window when it comes to extending privacy.

CNN, in its story “Who is Nina Pham,” for example, drove to the woman’s church to get the dirt on the nurse, learning that she’s very religious. Ah.

Meanwhile, Amber Joy Vinson, another nurse infected with the Ebola virus after caring for Duncan, released a statement Thursday through the Kent State University website.

“Our family has been overwhelmed with support and love for Amber and our extended family over the last 72 hours, and we thank you for those prayers and well wishes. Amber is stable, and we are continuing to work with her doctors as her treatment progresses.

Amber is a respected professional and has always had a strong passion for nursing. She followed all of the protocols necessary when treating a patient in Dallas, and right now, she’s trusting in her doctors and nurses as she is now the patient.

To that end, we ask that the media respect Amber’s privacy and that of our family during this overwhelming experience. The time will come down the road for more further public involvement, but for now, your continued love and prayers helps greatly.”

Does any of this violate HIPAA, the law that clamped the cone of silence on matters of health care and individuals? Probably not, MedPage Today says:

Michelle De Mooy, deputy director for consumer privacy at the Washington-based Center for Democracy and Technology, said that in the case of Ebola exposure, “only a covered entity (normally an employee is designated to do this) that is authorized to prevent or control the migration of the disease can let someone know if they have been exposed to the disease through contact or shared space with the infected person.”

So “when the hospital workers in Nebraska looked at the records of the doctor with Ebola, they still violated HIPAA, but when the ‘hospital’ officially announced the negative test results of a deputy sheriff in Dallas who was tested for Ebola, they did not,” she told MedPage Today in an email. “My guess is their explanation for publicly announcing this would be to keep the community from panicking.”

As for the unnamed patient at Emory, if he or she did not agree to any disclosure, “Emory is restricted to reporting the patient’s condition but nothing else,” as opposed to the Dallas hospital that was treating Duncan, who had been talking to the press voluntarily, De Mooy said.

She added, however, that “The public’s right to know in the context of public health does trump HIPAA, by design — the Privacy Rule allows authorities to warn anyone who might have come into contact with the patient — this is in the best interest of all parties.”

  • Dave

    To me that video has an undercurrent of propaganda. It shows most of the isolation room, plus another nurse. No close-ups of Nina. Kind of like: “Okay, look here everybody, we’re doing the right thing now, so get off our backs!”

    Also, I don’t really see how there is any violation of privacy here. HIPAA (which applies to providers) doesn’t prevent the news media from interviewing someone at a church. Emory is protecting the medical information of their patient; that’s all they can do.

    If I had a nickel for every perceived HIPAA violation . . .

    • Privacy and HIPAA are not synonyms.

      • Dave

        I know. I’m saying that I don’t think either one was violated.

        • I don’t know. I think if your religious leader is sharing private conversations, that comes pretty close to the line if not crosses the line of the right to be left alone, though I recognize the assertion of that right is debatable.

  • Ben

    I was thinking about this very question earlier today. A CNN article talked about the patients who have been treated in Atlanta and listed one unnamed patient admitted on Sept. 9. How come that person is unnamed and the others aren’t?

  • Matt

    Here’s DHS’s FAQ on HIPPA on the issue of whether a covered entity (i.e. a hospital) can share a patient’s protected medical information with law enforcement and other entities when faced with disease such as Ebola: http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/397.html

    And here’s the actual text of the regulation to which the FAQ cites: http://www.ecfr.gov/cgi-bin/text-idx?SID=ba498ec4c4d9b88c6b02ba27a83e4aef&node=pt45.1.164&rgn=div5#se45.1.164_1512

    Opening statement of regulation cited above:

    45 C.F.R. §164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required.

    A covered entity may use or disclose protected health information without the written authorization of the individual, as described in §164.508, or the opportunity for the individual to agree or object as described in §164.510, in the situations covered by this section, subject to the applicable requirements of this section….

    45 C.F.R. 164.512(b)(1)(i)

    A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:

    (i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;

    45 C.F.R. 164.512(j)(1)(i):

    Standard: Uses and disclosures to avert a serious threat to health or safety—(1) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure:

    (i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

    (B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat;

    Again, these regulations describe who can release the information to whom. Nothing in HIPPA permits the disclosure to the public. Now once the information is in the hands of law enforcement or a public health official, usually public records act laws take over, and even those generally prohibit releasing information about, or the identity of, a person’s medical information. Again, you’ll probably find a public health-type exception similar to the ones described above out of HIPPA.

    Of course the individual can consent to the release of their information. But they need not to.

    Here’s my takeaway: while a hospital can, and probably should, share such information with public health officials and other governmental authorities who need to know, i.e. law enforcement, persons doing decontamination and contact-checking work, that does not, and should not, permit the disclosure of the identity of that person, by anyone, including law enforcement or any other governmental entity, to the public.

    I understand the news value of identifying a person who has contracted Ebola. Outside of the public’s inherent interest in knowing, identifying the person and publishing photographs of that person could assist with contact checking and permit those who may have come into contact with her to get checked. Necessarily, this may be a much larger group of people than an infected patient could come up with herself.

    I’m also worried about the long-term effects of identifying either of the nurses: will they be employable, able to find housing if they can’t return to their current residence (or will their landlord even let them continue renting there or refuse to renew a lease). Will they be stigmatized?

    And Bob, thanks for putting this post up.

  • Robert Moffitt

    Privacy, patients and the press was something I dealt with on a daily basis when I worked at Regions Hospital. It’s complicated, but I always tried to communicate to people that they had the right not to speak to the media or have any personal information released. It was frustrating for both us and the news media sometimes, but we stuck to our guns. You know who most insisted on “the Cone of Silence” when one of their people was hospitalized? The news media. The same ones who pry and plead for info on others.

    • Matt

      Agreed, but they understand their right to silence. The general public does not. Same thing goes for persons approached by police officers. Absent a subpoena, you have no obligation to speak to law enforcement. Ask a criminal defense attorney about whether it is ever a good thing to speak to law enforcement (except perhaps when you’re the victim of a crime), and they’ll tell you not to do it. Same analogy applies with news media who become newsworthy and can legitimately shield information with generally applicable privacy laws.

    • I was just thinking about that the other day…. back in the ’70s, calling hospitals and getting patient updates and how much different it is today. I don’t think I’d even bother making the call now.

      • Kassie

        I’d also say, back in the ’70s, people spent a lot more time in hospitals. Women stayed on average 4 days in the hospital after a birth. Now it is down to 2. Most times I hear that people are out of the hospital before I ever heard they went in.

  • I think what’s interesting about the Pham case is that she made a plug for the quality of care she was getting at her hospital, which has been universally criticized. yes, she gave her permission for the video to be distributed, but I do wonder a bit what the unstated pressure is when a doctor comes in with a videocamera and you’re an employee of a hospital.

    • Dave

      Maybe they asked her first.

      • Right. That’s what I’m saying. The employer comes to you and says “we’d like to shoot a video with you talking about the great care you’re getting etc.” What else would someone say? I mean they COULD say, “no.” I’ve seen nonsense like that come back to bite people at performance review time.

        • Dave

          LOL. You’re trolling me, right?

          “Yes, Ms Pham, we know you survived Ebola, but…well, your performance wasn’t up to par this year. No raise.”

          • Well, that wasn’t really anything close to what I said. I question whether an Ebola patient who happens to be a nurse in a hospital, feels free to make a legitimate decision to protect her privacy when the doctor who’s treating her has the camera and perhaps does so at the behest of the hospital who employs her.

            The phrasing of the hospital was interesting. She gave permission to release the video. Didn’t say she requested the video be made, but gave permission that it be released.

        • Jack

          Totally agree with you Bob.

  • Gary F

    Still no one in the media is asking why this man is not our new Ebola “Czar” or even the permanent Surgeon General. I guess shaking up dirt on the nurse was more important, or getting takeout soup.

    I haven’t seen any of the major new sources interview this guy. Haven’t heard a peep out of this guy.

    Maybe he’s not qualified!