OCR Clarifies HIPAA Rules on Disclosures to Family, Friends and Other Individuals

The recent attack in Las Vegas has prompted the Department of Health and Human Services’ Office for Civil Rights to clarify HIPAA Rules on disclosures to family, friends and other individuals.

Following Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the disaster areas of both hurricanes. OCR sometimes, but not always, issued such a waiver after a natural disaster when a public health emergency has been declared.

However, OCR did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas, and neither was a waiver issued following the Orlando nightclub shootings in 2016. OCR does not usually issue waivers of HIPAA Rules following shootings and other man-made disasters. Healthcare organizations involved in the treatment of victims of the Las Vegas shootings were required to continue to follow the provisions of the HIPAA Privacy Rule.

In its reminder about HIPAA Rules on disclosures to family, friends and other individuals, OCR explained that the HIPAA Privacy Rule allows healthcare organizations to disclose PHI to family, friends, and other individuals that have been identified by a patient as being involved in his or her care. PHI may also be shared to help identity or locate individuals involved in a patient’s care, or to notify them of the patient’s location, health status, or death.

In an emergency situation, covered entities should try to obtain verbal permission from the patient to share information, although when this is not possible, such as when a patient is incapacitated, it is down to the professional judgement of the covered entity to determine whether sharing information is in the patient’s best interest.

In the case of natural disasters, PHI may need to be shared with disaster relief organizations to assist with disaster relief efforts. While permission should be obtained, it is not necessary if obtaining permission would interfere with the organization’s ability to respond to an emergency situation.

The HIPAA Privacy Rule permits covered entities to inform the media about a specific patient’s general health condition (critical, stable, deceased, or treated and released) if a request is made about a patient that is mentioned by name, provided the patient has not previously objected to the sharing of such information, in which case the patient’s request should be honored.

Any sharing of other information, such as test results, details of an illness, or other health information, must generally only be shared if permission has first been obtained from the patient in writing.

Whenever PHI is shared, the minimum necessary standard applies and any PHI shared must be limited to the minimum necessary information to achieve the purpose for which the information is shared.

The provisions of the HIPAA Privacy Rule are detailed in: 45 CFR 164.510(b) – Disclosures to family, friends, and other individuals involved in a patient’s care; 45 CFR 164.510(a) – Disclosures to the media and individuals not involved in a patient’s care; 45 CFR 164.508 – HIPAA authorizations; 45 CFR §§ 164.502(b) and 45 CFR §§ 164.514(d) – The minimum necessary standard.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.