Search Our Website:

As compared to non-health care employers, health care providers face several unique considerations when developing and implementing policies and procedures to prepare for an infectious disease outbreak.1 For good reason, the current Ebola scare has thrust such unique considerations into the spotlight and forced providers to thoroughly review their preparedness to deal with a widespread infectious disease outbreak. For starters, health care providers, like a hospital for example, generally invite individuals who may be inflicted with an infectious disease, like Ebola, to visit their facilities to obtain treatment. In fact, federal laws like the Emergency Medical Treatment & Labor Act (EMTALA) require hospitals to examine patients who arrive at emergency rooms and, depending upon the results of such screening, also require such hospitals to provide stabilizing care. Health care providers also face oversight from various agencies including the Centers for Disease Control (CDC) that other employers don’t necessarily have to consider. Most recently, in guidance issued on October 20, 2014 the CDC emphasized that providers must review and, if necessary, revise and implement policies and procedures to protect employees working with patients potentially infected with Ebola.

Health care providers must also be mindful of the ongoing need to protect a patients’ confidentiality under the Health Insurance Portability and Accountability Act (HIPAA) and other similar federal and state privacy laws. Efforts to protect a patient’s confidential health information may become even more arduous in an environment of heightened media attention, if a state declares a public health emergency or mandates patient quarantine or isolation. Failure to proactively consider these laws, regulations and guidelines– each of which is discussed below– may expose providers to a litany of other unique licensing, credentialing, workers’ compensation or tort liability issues that non-health care related employers may not have to consider.

CDC’s Recent Guidance on Personal Protective Equipment for Health Care Workers

Earlier this week, the CDC issued comprehensive and detailed new guidance addressing personal protective equipment (PPE) standards and other key safe workplace practices to help protect health care providers working with patients potentially infected with Ebola.2 This new guidance, which should be immediately reviewed by providers and legal counsel, and as necessary, implemented by providers, stresses the importance of repeated training, policy review and implementation and close observation by management designated to oversee the implementation of the new CDC precautions. The CDC references three key principles as the backbone of its new guidance:

  • Prior to working with Ebola patients, all health care workers must receive repeated training and demonstrate competency in performing all Ebola-related infection control practices and procedures, specifically in donning/doffing proper PPE.
  • While working in PPE, health care workers caring for Ebola patients should have no skin exposed.
  • The overall safe care of Ebola patients in a facility must be overseen by an onsite manager at all times and each step of every PPE donning/doffing procedure must be supervised by a trained observer to ensure proper completion of established PPE protocols.

State and Local Guidance for Doctors’ Offices and Other Ambulatory Centers

The new CDC guidelines, which recommend use of impermeable suits, face masks and two pairs of gloves as the best protection against contracting the Ebola virus, are tailored for hospitals and other acute care providers. Because the vast majority of doctors’ offices and other ambulatory care providers likely do not stock these items, some state agencies, medical associations and other licensing agencies have issued their own guidelines aimed at protecting non-hospital setting providers. For example, the Texas Medical Association has issued recommendations for how doctors’ offices can protect patients and staff members if a patient presents with symptoms of Ebola.3 The CDC has recommended that ambulatory care providers turn to such industry specific guidance to protect their workers from contracting Ebola and has promised to continue to provide state agencies and health departments with guidance and recommendations.

Confidentiality and HIPAA

Health care providers may be faced with the difficult challenge of balancing a patient’s right to privacy against the need to disclose such patient’s protected health information (PHI) to protect public health through the control the spread of a highly-communicable disease, like Ebola. Generally speaking, HIPAA requires a patient’s authorization before a health care provider may disclose the patient’s PHI. However, HIPAA permits a health care provider to disclosure PHI without a patient’s authorization in a number of specific situations or for specified purposes. For example, one health care provider may disclose PHI to another health care provider to aid a patient’s treatment. Similarly, health care providers may disclose a patient’s PHI without the patient’s consent for the purpose of obtaining payment related to the care that is the subject of the PHI. HIPAA also expressly permits health care providers to disclose PHI without authorization to a public health authority that is “authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death and the conduct of public health surveillance, public health investigations and public health interventions.”4 Certain state laws may also require health care providers to report certain communicable diseases to the applicable state agency. For example, Pennsylvania requires health care providers to report certain specified illnesses to the Pennsylvania Department of Health. While Pennsylvania does not include Ebola in its list of specific disease to be reported, it nevertheless also requires that any unusual outbreak or disease occurrence be reported.

What is less clear under HIPAA is whether the provider may disclose PHI directly to the public or the media in connection with an infectious disease outbreak such as Ebola. PHI may also be disclosed to a person who may have been exposed to or be at risk of contracting a communicable disease when authorized by law to notify the person as necessary to conduct a public health investigation or intervention. Such exceptions, however, would generally not permit the provider to disclose PHI to the media, absent a patient authorization. Moreover, any disclosures should generally be limited to that which is the minimum necessary to achieve the purpose, although the provider may rely upon a representation from a public health authority that the information being requested is the minimum necessary.5 Providers should have in place policies and procedures that must be followed prior to disclosing any PHI to a public health authority based on the “public health purposes” exception under HIPAA.

EMTALA, State Licensing and Ethical Issues

Health care providers by their nature have a heightened duty to provide care in certain health care settings under specific circumstances. This generally accepted duty– which our health care workers courageously accept as part of the job– has through the years been strengthened and confirmed by federal and state laws and court decisions. For example, EMTALA requires health care providers to provide screening services to patients who arrive at the emergency department. If such an examination reveals an emergency condition, then the emergency department is also required to provide stabilizing care. Moreover, once treatment is initiated (whether as a result of EMTALA or otherwise), state licensing laws and/or ethical guidelines often make it difficult to withdraw care. It is important that providers adopt and implement appropriate precautions, including those recently issued by the CDC, in order to protect their employees who provide care and also avoid liability that may result from negligently placing staff in harm’s way.


The CDC has made it clear that it expects providers to review, modify, implement and provide ongoing training on policies and procedures to ensure health care workers are prepared to treat patients potentially infected with Ebola. Based on this recent guidance– and considering providers’ obligation to treat patients infected with Ebola and other infectious diseases– health care facilities and legal counsel should take time to review federal and state laws, regulations and other guidelines that affect their ability to prepare for and respond to an Ebola or other similar infectious disease outbreak. This is especially true for acute and ambulatory care providers in the seven states (Pa., N.Y., Md., Va., N.J. & Ga.) that the CDC says serve as the final destination for 70% of people who arrive in the United States from nations affected by Ebola. By failing to proactively embrace and implement the CDC’s guidance and provide training on other rules and regulations that effect how health care is delivered to patients potentially infected with Ebola, providers risk significant liability that may result if an employee is exposed to Ebola.

1In an article published last week, we addressed generally what employers can or should do as the Ebola threat grows. Specifically, we suggested where employers can turn for guidance and news related to the Ebola threat and addressed the federal and state laws, regulations and agencies to be considered when developing policies to protect employees from coming into contact with the virus and managing employees who employers reasonably believe may have been exposed to Ebola. This article builds on our prior article and addresses legal issues unique to healthcare providers that may be presented by the threat of an Ebola outbreak.

2The October 20, 2014 CDC guidance on PPE standards for healthcare providers may be viewed here.

3The Texas Medical Association’s guidelines may be viewed here.

4See 45 CFR 164.512 (b).

5See 45 CFR 164.514(d)(3)(iii)(A).