OCR clarifies HIPAA disclosure after Orlando nightclub shooting

HHS’s Office of Civil Rights (OCR) has clarified that HIPAA’s rules on disclosing protected health information (PHI) are not limited by the sex or gender identity of the patient or their loved ones.

The FAQ was in response to confusion around disclosure standards in the wake of the shooting at Pulse Nightclub in Orlando. Orlando’s mayor asked for a HIPAA waiver, claiming certain information couldn’t be released to victims’ families or friends without it. No waiver was needed, according to HHS, and OCR’s new clarification explained when PHI can be disclosed to a patient’s family member, friend, spouse, or partner.

“When making disclosures…a covered entity should get verbal permission from the patient when possible, or otherwise be able to reasonably infer that the patient does not object to the disclosure, before disclosing information to these persons,” the FAQ stated. “If the patient is incapacitated or not available, a covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest.  Finally, if the individual is deceased, a covered entity may share information with a person who was involved in the individual's care or payment for care prior to the individual's death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.”

Gender identity of the patient or the person receiving the information, OCR explained, doesn’t limit or impact who PHI can be disclosed to. The Supreme Court ruling on same-sex marriage was also referenced, as the FAQ said that all lawful marriages fall under the disclosure rules for family members and spouses.

“For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives…the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records,” the FAQ explained. “In this example, a covered entity that does not provide a patient’s lawful spouse with access because of the sex of the spouses would be in violation of the Privacy Rule.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.