The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently published "Guidance on HIPAA, Same-sex Marriage, and Sharing Information with Patients' Loved Ones." The new FAQ OCR issued was developed in large part to address confusion following the 2016 Orlando nightclub shooting about whether and when hospitals may share protected health information with patients' loved ones.
According to the FAQ, the HIPAA Privacy Rule permits covered entities to share with an individual's family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient's care or payment for health care. In addition, HIPAA allows a covered entity to disclose information about a patient as necessary to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient's location, general condition, or death. In either circumstance, the person can be a patient's family member, relative, guardian, caregiver, friend, spouse, or partner. The Privacy Rule defers to a covered entity's professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient's care or payment for care (see at 45 CFR 164.510(b)).
Further, a covered entity is permitted to share PHI with anyone from the list of potential recipients. This list is in no way limited or impacted by the sex or gender identity of either the patient or the potential recipient. OCR did still emphasize that, when possible, you should get verbal permission from the patient or be able to reasonably make a determination that the patient does not object to the disclosure (see 45 CFR 164.510(b)).
Finally, OCR makes it clear that a covered entity may not deny a personal representative the rights afforded to them for any reason, including their sex or gender identity (see 45 CFR 164.502(g)).
If you have any questions about permitted uses and disclosures under the HIPAA Privacy Rule please do not hesitate to contact us: [email protected] or 855-427-0427.