Update on Allowable HIPAA Disclosure

A HIPAA guidance release in January notes that providers can share information with the loved ones of patients even if they are not seen as relatives under current laws. An accompanying FAQ elaborated on the update stating that it is generally permissible to allow disclosures to a loved one not married to the patient or other recognized relatives. In these cases, the same circumstances and conditions apply if the individual was a spouse.

Family Members Defined

Family members are defined as the patient's lawful spouse and dependents from all lawful marriages under HIPAA. Protected Health Information (PHI) can be shared by covered entities (CE) with family members under certain situations. A personal representative of the individual must be treated as the individual (patient) regarding PHI except for some limited circumstances. Covered entities can share patient information with the partner of the patient, guardian, caregiver or even a close personal friend. However, the CE should secure verbal permission if possible. The information shared needs to be relevant to that individual's participation in patient care or healthcare payments.

Judgement Call

CEs can also disclose a patient's information to notify or help notify loved ones of the patient. It is not required that the CE verify an individual is a partner, friend or family member, it is a judgement call of the CE. Sex or gender identity should not limit CE disclosures. This update stemmed from the 2016 Orlando nightclub shooting. In the aftermath, the mayor of Orlando asked that the White House waive HIPAA as CEs tried to notify loved ones and family members. The Department of Health and Human Services responded at the time that a waiver was not needed and that providers could use their professional judgement in making disclosures they thought in the best interest of the patient.