Healthcare Information Security

HIPAA and Compliance News

How HIPAA Information Sharing Regulations Impact the Opioid Crisis

OCR reminded organizations that HIPAA regulations allow for information sharing, which could have a large impact on the current opioid crisis.

hipaa information sharing guidance released by ocr

Source: Thinkstock

By Elizabeth Snell

- With the opioid crisis recently declared a nationwide public health emergency, OCR issued guidance on how HIPAA regulations allow providers to participate in information sharing in an effort to improve patient care.

There are often misunderstandings and misinterpretations of patient data protection laws, which can create obstacles to the care and treatment process, OCR explained.

“We know that support from family members and friends is key to helping people struggling with opioid addiction, but their loved ones can’t help if they aren’t informed of the problem,” OCR Director Roger Severino said in a statement.  “Our clarifying guidance will give medical professionals increased confidence in their ability to cooperate with friends and family members to help save lives.”

OCR stated that healthcare providers are able to share a patient’s health information with that individual’s family members under certain circumstances, and may not always need the patient’s permission to do so.

“Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interests of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s health care or payment of care,” the guidance reads.

READ MORE: Benefits, Challenges of Secure Healthcare Data Sharing

In the case of a potential opioid overdose, OCR explained that this may mean a provider could use her professional judgement to determine it is necessary to share information on the overdose and related medical information with the individual’s parents. However, the provider could not share unrelated overdose medical information without permission from the patient.

“Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety,” OCR maintained. “For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.”

HIPAA rules also place certain limitations on sharing health information with family members, friends, and others without the patient’s agreement, the guidance pointed out. When a patient is capable of making decisions, a healthcare provider must give that patient the opportunity to object or agree to health information being shared with that patient’s family, friends, or others involved with patient care.  

A patient’s ability to make decisions could also change during treatment, OCR acknowledged.

“Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law,” OCR said. “If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information.”

READ MORE: How HIPAA Regulations Apply to Key Patient Data Access Situations

For example, perhaps a patient arrives in an emergency room and is unconscious from a drug overdose. Nurses and doctors may decide whether information sharing is necessary, how much, and what type of health information can be shared with the patient’s family or close friends.

However, once the patient regains consciousness, she may object to future information sharing. In that case, HIPAA rules still permit the provider to “share information to prevent or lessen a serious and imminent threat to health or safety.”

HIPAA regulations also account for state law with regard to personal representatives, which may differ slightly from federal law.

“Personal representatives are persons who have health care decision making authority for the patient under state law,” OCR said. “This authority may be established through the parental relationship between the parent or guardian of an un-emancipated minor, or through a written directive, health care power of attorney, appointment of a guardian, a determination of incompetency, or other recognition consistent with state laws to act on behalf of the individual in making health care related decisions.”

Ensuring patient data privacy while still providing quality care – especially with regard to opioid usage – has quickly become a top healthcare issue.

READ MORE: Ensuring Security, Access to Protected Health Information (PHI)

The US Senate passed Jessie’s Law (S. 581) in August 2017, which aimed to establish guidelines for when healthcare providers should prominently display a patient’s history of opioid use on his or her medical record. However, patient privacy was also a key aspect of the legislation.

The bill is named after Jessica Grubb, who was a recovering opioid addict and had surgery in 2016. Grubb and her parents reportedly told doctors she should not be given opioids unless under strict supervision. The discharging doctor though allegedly did not receive that information and prescribed Grubb oxycodone on her hospital discharge.

Bill sponsor, West Virginia Senator Joe Manchin, said that the law would help physicians be “better prepared to deal with the medical records of recovering addicts.” 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...