Via HIPAA Blog, here are two resources related to the issue of how much PHI covered entities can disclose without patient consent in situations like ebola concerns.
The first is from HHS:
Does the HIPAA Privacy Rule permit covered entities to disclose protected health information, without individuals’ authorization, to public officials responding to a bioterrorism threat or other public health emergency?
Yes. The Rule recognizes that various agencies and public officials will need protected health information to deal effectively with a bioterrorism threat or emergency. To facilitate the communications that are essential to a quick and effective response to such events, the Privacy Rule permits covered entities to disclose needed information to public officials in a variety of ways.
Covered entities may disclose protected health information, without the individual’s authorization, to a public health authority acting as authorized by law in response to a bioterrorism threat or public health emergency (see 45 CFR 164.512(b)), public health activities). The Privacy Rule also permits a covered entity to disclose protected health information to public officials who are reasonably able to prevent or lessen a serious and imminent threat to public health or safety related to bioterrorism (see 45 CFR 164.512(j)), to avert a serious threat to health or safety). In addition, disclosure of protected health information, without the individual’s authorization, is permitted where the circumstances of the emergency implicates law enforcement activities (see 45 CFR 164.512(f)); national security and intelligence activities (see 45 CFR 164.512(k)(2)); or judicial and administrative proceedings (see 45 CFR 164.512(e)).
Note that the above does not necessarily mean that the covered entity can disclose the patient’s name to the media or public without the patient’s consent. But my understanding is that public officials can release such information as part of responding to a public health emergency, e.g., if they need to contact and isolate people who may have been in contact with infected patients. If I’m wrong on that, hopefully some lawyer will let me know.
The second resource, also from HHS, is a decision tool to help covered entities with emergency preparedness disclosures.
Update: Later in the day, I was asked who actually disclosed the first Texas patient’s name. Digging into it, I found that the patient was first identified/named by the Liberian government, and it was reported in the New York Times. In terms of the two Texas nurses later affected, their identities were revealed by their families. The hospital was not the source of their names.