The HIPAA Privacy Rule and Bioterrorism Planning, Prevention, and Response

Conclusion

Ensuring effective bioterrorism prevention, planning, and response is a national priority that requires the timely exchange of identifiable health information and adequate protections of individual privacy. In a bioterrorism event, government and health authorities will need to obtain and exchange protected health information to coordinate patient treatment, conduct investigations, and make key decisions to protect the public's health and safety. With inadequate privacy protections, members of the public may avoid participation in public health investigations or programs, cooperation with law enforcement and national security officials, and possibly even medical treatment if they fear the consequences of improper disclosures of highly personal health information. The HIPAA Privacy Rule reflects these interests by allowing many disclosures of identifiable health information without individual authorization to public health and other authorities during a bioterrorism scenario, while protecting the privacy interests of patients through requirements for covered entities and others performing covered functions.

Still, the flow of PHI to appropriate authorities may be hindered by misunderstandings of the Privacy Rule. Covered entities may question the disclosure of PHI to public health authorities for syndromic surveillance purposes or withhold information because of misinterpretation of the Rule's accounting requirement. In addition, the possible inclusion of nontraditional health-care providers as covered entities (by providing emergency health-care services during an attack) could stymie the provision of health-care and public health services. Finally, additional privacy safeguards may be needed to avoid de facto disclosures of individuals' disease or exposure status due to the conspicuous nature of isolation or quarantine in response to bioterrorism. The impact of the Privacy Rule on potential uses and disclosures of PHI in a bioterrorism scenario needs to be understood and agreed on by health-care providers, first responders, public health authorities, law enforcement officials, and national security officials. Advance understanding and planning will faciliate bioterrorism response efforts and deter information delays resulting from confusion and rigid interpretations of the HIPAA Privacy Rule.

Biosecur Bioterror. 2004;2(2) © 2004 Mary Ann Liebert, Inc.