How can we know very little about a patient being treated for Ebola at Emory University in Atlanta, while reporting the details of the patient who died from the disease in Dallas? According to Michelle De Moody, Deputy Director for Consumer Privacy at the Center for Democracy and Technology, covered entities can let individuals know if they have been exposed to the disease through contact or shared space with an infected person.
Public health and the needs of exposed persons to know of a potential threat, can trump patient privacy rights under HIPAA. As a covered entity, the Dallas hospital could inform people who were exposed to the Ebola patient. HIPAA laws only apply to covered entities and their business associates. In the case where a hospital is acting within its rights and responsibilities according to HIPAA, a person who is not a covered entity would be receive the protected health information (PHI) of a patient. There is also nothing preventing this person from speaking openly about the circumstances.
Journal of Medical Ethics Blog: Ebola in the US: Privacy, public interest and the ethics of media reporting. 3 Oct. 14.