OCR clarifies HIPAA disclosure after Orlando nightclub shooting

HHS’s Office of Civil Rights (OCR) has clarified that HIPAA’s rules on disclosing protected health information (PHI) are not limited by the sex or gender identity of the patient or their loved ones.

The FAQ was in response to confusion around disclosure standards in the wake of the shooting at Pulse Nightclub in Orlando. Orlando’s mayor asked for a HIPAA waiver, claiming certain information couldn’t be released to victims’ families or friends without it. No waiver was needed, according to HHS, and OCR’s new clarification explained when PHI can be disclosed to a patient’s family member, friend, spouse, or partner.

“When making disclosures…a covered entity should get verbal permission from the patient when possible, or otherwise be able to reasonably infer that the patient does not object to the disclosure, before disclosing information to these persons,” the FAQ stated. “If the patient is incapacitated or not available, a covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest.  Finally, if the individual is deceased, a covered entity may share information with a person who was involved in the individual's care or payment for care prior to the individual's death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.”

Gender identity of the patient or the person receiving the information, OCR explained, doesn’t limit or impact who PHI can be disclosed to. The Supreme Court ruling on same-sex marriage was also referenced, as the FAQ said that all lawful marriages fall under the disclosure rules for family members and spouses.

“For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives…the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records,” the FAQ explained. “In this example, a covered entity that does not provide a patient’s lawful spouse with access because of the sex of the spouses would be in violation of the Privacy Rule.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

Cardiovascular devices are more likely to be in a Class I recall than any other device type. The FDA's approval process appears to be at least partially responsible, though the agency is working to make some serious changes. We spoke to a researcher who has been tracking these data for years to learn more. 

Updated compensation data includes good news for multiple subspecialties. The new report also examines private equity's impact on employment models and how much male cardiologists earn compared to females.

When drugs are on the FDA’s shortage list, outsourcing facilities can produce their own compounded versions. When the FDA removed tirzepatide from that list with no warning, it created a considerable amount of chaos both behind the scenes and in pharmacies all over the country. 

Trimed Popup
Trimed Popup