- Partially due to legal confusion following the 2016 Orlando nightclub shooting, the Office for Civil Rights (OCR) has released an FAQ clarifying certain aspects of PHI disclosure policies with patients’ loved ones under the HIPAA Privacy Rule.
The FAQ is applicable in numerous situations, but OCR explained in an email that the incident in Orlando brought forth questions about “disclosures to loved ones regardless of whether they are recognized as relatives under applicable law.”
“The FAQ makes clear that the potential recipients of information under the relevant permissive disclosure provisions of 45 CFR 164.510(b) are not limited by the sex or gender identity of the person,” OCR explained.
Citing Supreme Court cases that ruled on same-sex marriages, OCR states in its FAQ that “the terms marriage, spouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule.”
With PHI disclosure, covered entities are permitted to share an individual’s PHI with a family member under certain circumstances. Legally married spouses are considered family members, OCR said.
The circumstances where PHI can be disclosed are limited. The two examples of required disclosures are the following:
To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information
To HHS when it is undertaking a compliance investigation or review or enforcement action.
OCR explains on its website that an individual’s personal representative must be treated as the individual “with respect to uses and disclosures of the individual’s protected health information and for purposes of exercising the individual’s rights under the Privacy Rule.”
“In determining who is considered a personal representative, and thus able to act on behalf of an individual and exercise the individual’s rights under HIPAA, the Privacy Rule generally looks to state laws governing which persons have authority to act on behalf of an individual in making decisions related to health care,” OCR states.
The FAQ adds that HIPAA does permit covered entities to share information with an individual’s family member, other relative, close personal friend, or any other person identified by the individual. This is true if the data is “directly relevant to the involvement of that person in the patient’s care or payment for health care.”
Patient information can also be shared with a personal representative to notify or assist in notifying such a person of the patient’s location, general condition, or death.
“In either circumstance, the person can be a patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” the FAQ reads. “The Privacy Rule defers to a covered entity’s professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient’s care of payment for care.”
However, OCR notes that a covered entity should try and get verbal confirmation from a patient about PHI disclosure whenever possible. If a patient is incapacitated, then the provider should use its professional judgement and act in the patient’s best interest.
A personal representative’s sex or gender identity can not be used as reasons for a covered entity to deny them rights under the HIPAA Privacy Rule, according to OCR.
“For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives under 45 CFR 164.502(g), the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records,” the FAQ explains.