The Privacy Rule, in 45 CFR§ 164.510(b), permits covered entities to disclose protected health information (“PHI”) to family members and even close personal friends who are involved in the patient’s/client’s care unless another federal or state law affording more privacy protection would not permit it or would add more protections, such as a signed consent.
The U.S. Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) recently updated its guidance in this area to clear up confusion about allowable disclosures of PHI to spouses, relatives, and patients’ loved ones, particularly with regard to same sex couples. The 2016 Orlando nightclub shooting incident demonstrated that covered entities were confused as to how this ground for disclosure applied to same sex couples.
OCR guidance is that the Privacy Rule permits a covered entity to “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” Further, covered entities are allowed to disclose relevant information “to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death.”
The recipient can be a “patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” or any other individual that is a nominated personal representative of the patient. The covered entity must treat a personal representative of a patient as the patient for such purposes as exercising the patient’s Privacy Rule rights, including providing access to their health information. The limited exceptions to this rule are detailed in 45 CFR § 164.502(g).
In this new guidance, OCR confirmed that covered entities are permitted to share a patient’s PHI with same-sex partners, noting that the list of potential recipients of PHI is in no way affected by an individual patient’s sex or gender identity or by the sex or gender of the potential recipient.
OCR also elaborated on who can be classified as a personal representative of the patient, saying, “the Privacy Rule generally looks to state laws governing which persons have authority to act on behalf of an individual in making decisions related to health care.”
Thus, if a state grants to legally married spouses health care decision making authority for each other, a covered entity would violate the Privacy Rule if it did not grant access to the patient’s information if requested by a spouse, regardless of the sex of that individual.
Although getting patient consent is always wise, in cases when the patient is incapacitated or not available, covered entities should use professional judgment as to whether the sharing of information is in the patient’s best interest. In the case of a deceased patient, information can be shared with a person who had been involved in the patient’s care or who had made payment for medical services prior to the patient’s death.
As an aside, don’t forget to take advantage of our 10% discount off everything in our HIPAA compliance tools store through the end of January 2017. Just use the discount code HIPAA2017 at checkout. Also, we have posted two more chapters of HITECH Hysteria in the Premium Member section of the Veterans Press website for your reading pleasure. Enjoy.