Share this article on:
The Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance for healthcare professionals to help clear up confusion about allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones.
The majority of healthcare professionals are aware that the HIPAA Privacy Rule permits them to share the protected health information of a patient with a relative or loved one. However, the 2016 Orlando nightclub shooting incident revealed that many healthcare professionals are unsure about how the HIPAA Privacy Rule – 45 CFR 164.510(b) – applies to same sex couples.
OCR has confirmed that the Privacy Rule permits a covered entity to “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” OCR has also confirmed that covered entities are allowed to disclose relevant information “to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death.”
The recipient can be a “patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” but also any other individual that is a nominated personal representative of the patient. A personal representative of a patient must, as far as the Privacy Rule is concerned, be treated as the individual for purposes such as exercising the patient’s Privacy Rule rights, including providing access to their health information. There are limited exceptions, which are detailed in 45 CFR 164.502(g).
OCR has confirmed that covered entities are permitted to share a patient’s PHI with same-sex partners, and explains that the list of potential recipients of PHI is in no way affected by an individual patient’s sex or gender identity, and neither by the sex or gender of the potential recipient.
OCR also sought to confirm who can be classed as a personal representative of the patient, saying “the Privacy Rule generally looks to state laws governing which persons have authority to act on behalf of an individual in making decisions related to health care.”
For example, if a state grants legally married spouses health care decision making authority for each other, a covered entity would be in violation of the Privacy Rule if access to the patient’s information was not granted if requested by a spouse, regardless of the sex of that individual.
While the covered entity should seek permission from the patient concerned prior to sharing information, in cases when the patient is incapacitated or not available, covered entities should use their professional judgement if the sharing of information is in the patient’s best interest. Should a patient be deceased, information can be shared with a person who has been involved in the patient’s care or who has made payment for medical services prior to the patient’s death.
OCR’s Privacy Rule clarification can be found – and downloaded – from the HHS on this link.