HIPAA applies to spouses only when a spouse is acting in a role that makes them part of a HIPAA Covered Entity’s or Business Associate’s workforce or operations, while a spouse who is a private individual is not regulated by HIPAA but may receive or be denied access to a partner’s protected health information based on the HIPAA Privacy Rule and applicable state law.
HIPAA regulates HIPAA Covered Entities and Business Associates, including their workforce members, contractors, and agents when they perform functions involving protected health information. A spouse is not covered by HIPAA solely because of the marital relationship. If a spouse works for a provider, health plan, healthcare clearinghouse, or a business associate and has access to protected health information through that role, the spouse is subject to the same policies, access controls, and sanction standards as any other workforce member.
A covered entity may share a patient’s protected health information with a spouse in limited circumstances permitted by the HIPAA Privacy Rule. For disclosures related to the patient’s care, a provider may share relevant information with a spouse who is involved in the patient’s care or payment for care if the patient agrees, has the opportunity to object and does not object, or if the provider reasonably infers agreement from the circumstances. When the patient is present and has capacity, the provider is expected to obtain the patient’s agreement or provide an opportunity to object before sharing information that goes beyond what is relevant for involvement in care.
When the patient is not present or is incapacitated, a provider may disclose relevant information to a spouse if the provider determines, using professional judgment, that the disclosure is in the patient’s best interests and is limited to information directly related to the spouse’s involvement in care or payment. This permission does not extend to broad access to the full medical record. The HIPAA Minimum Necessary Rule can apply to disclosures made for purposes other than treatment and supports limiting information to what is needed for the stated purpose.
A spouse can receive protected health information through written authorization signed by the patient. A valid authorization permits disclosure to the spouse as identified in the authorization and for the purposes described. A spouse can also act as a personal representative for the patient in specific situations. When a spouse has legal authority to make healthcare decisions for the patient under applicable law, the covered entity generally treats the spouse as the patient for access and disclosure purposes, subject to limited exceptions such as concerns about abuse, neglect, or endangerment.
HIPAA does not prevent a spouse from sharing information they learn about a partner outside a regulated role, but other legal and employment consequences may apply. HIPAA also does not create a right for a spouse to access a partner’s protected health information. Access decisions depend on the patient’s direction, the spouse’s legal authority as a personal representative when applicable, the provider’s professional judgment in limited care-related contexts, and any more protective state law requirements.