Header graphic for print
HealtHITech Law HIPAA, HITECH and Beyond

OCR Guidance Clarifies Disclosures to Patient Spouses, Relatives, Friends

Posted in Permitted Disclosures, Personal Representative

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently provided guidance for healthcare professionals concerning disclosures of protected health information (PHI) under the HIPAA Privacy Rule (the Privacy Rule) to patient spouses, relatives, and friends.

Under the Privacy Rule, a covered entity may “share [PHI] with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, [which is] directly relevant to the involvement of that person in the patient’s care or payment for health care.” 45 C.F.R. § 164.510(b). OCR reported that it had recently became aware that many healthcare professionals were unsure how this provision applied to same-sex couples. In its guidance, OCR clarified that the list of potential recipients of PHI under 45 C.F.R. §164.510(b) is in no way impacted by the sex or gender-identity of either the patient or the potential recipient. Furthermore, clarified that when making disclosures under this exception, a covered entity should obtain verbal permission from the patient when possible, or otherwise be able to reasonably determine that the patient does not object, prior to disclosing the patient’s PHI. If the patient is incapacitated or otherwise unavailable, the covered entity may share the patient’s PHI when the covered entity believes that doing so would be in the patient’s best interest.

In addition, OCR clarified the circumstances in which a covered entity must disclose PHI to someone involved in a patient’s care. In some cases, a spouse, partner, or other person involved in a patient’s care is considered the patient’s personal representative and as a result, would have the authority to exercise the patient’s rights on the patient’s behalf, such as the right to access medical and other health records as provided under the Privacy Rule. A covered entity must treat all personal representatives as the individual for purposes of the Privacy Rule. Therefore, a covered entity cannot deny a personal representative the rights afforded to personal representatives under the Privacy Rule for any reason, including because of their sex or gender identity.  According to an OCR FAQ,

[I]f a state grants legally married spouses health care decision-making authority for each other, such that legally married spouses are personal representatives under the HIPAA Privacy Rule, the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records.

More information from OCR on HIPAA and marital status can be found here. General guidance about when HIPAA permits disclosures to family members, friends, and others involved in a patient’s care or payment for care can be found here.

If you have any questions regarding these or any other HIPAA issues, please contact your Vorys health care attorney.