HIPAA Privacy Rule Updated to Clear Ambiguity

After calls from healthcare professionals to clear the ambiguity surrounding allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones, the Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance surrounding these issues.

Most healthcare professionals are aware that the HIPAA Privacy Rule permits them to share the protected health information of a patient with a relative or loved one. However, healthcare professionals are unsure about how the HIPAA Privacy Rule – 45 CFR 164.510(b) – applies to same sex couples. This was highlighted in the aftermath 2016 Orlando nightclub shooting incident, during which there was much confusion surrounding the appropriate disclosure of PHI.

OCR has confirmed that the Privacy Rule permits a covered entity to “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” OCR has also confirmed that covered entities can disclose relevant information “to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death.”

The recipient can be a “patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” but also any other individual that is a nominated personal representative of the patient. According to HIPAA’s Privacy Rule, personal representative of a patient must be treated as the individual for purposes such as exercising the patient’s Privacy Rule rights, including providing access to their health information. There are limited exceptions, which are detailed in 45 CFR 164.502(g).

OCR has previously confirmed that covered entities are permitted to share a patient’s PHI with same-sex partners. They clarified that the list of potential recipients of PHI is in no way affected by an individual patient’s sex or gender identity, and neither by the sex or gender of the potential recipient. OCR also sought to confirm who can be classed as a personal representative of the patient, saying “the Privacy Rule generally looks to state laws governing which persons have authority to act on behalf of an individual in making decisions related to health care.”

For example, if a state grants legally married individuals with healthcare-decision-making authority for each other, a covered entity would be in violation of the Privacy Rule if access to the patient’s information was not granted if requested by a spouse, regardless of the sex of that individual.

Normally, the covered entity should seek permission from the patient concerned prior to sharing information. However, if the patient is incapacitated or not available, covered entities should use their professional judgement if the sharing of information is in the patient’s best interest. Should a patient be deceased, information can be shared with a person who has been involved in the patient’s care or who has made payment for medical services prior to the patient’s death.