OCR clarifies HIPAA disclosure after Orlando nightclub shooting

John Gregory | | Health Exec | Cybersecurity

HHS’s Office of Civil Rights (OCR) has clarified that HIPAA’s rules on disclosing protected health information (PHI) are not limited by the sex or gender identity of the patient or their loved ones.

The FAQ was in response to confusion around disclosure standards in the wake of the shooting at Pulse Nightclub in Orlando. Orlando’s mayor asked for a HIPAA waiver, claiming certain information couldn’t be released to victims’ families or friends without it. No waiver was needed, according to HHS, and OCR’s new clarification explained when PHI can be disclosed to a patient’s family member, friend, spouse, or partner.

“When making disclosures…a covered entity should get verbal permission from the patient when possible, or otherwise be able to reasonably infer that the patient does not object to the disclosure, before disclosing information to these persons,” the FAQ stated. “If the patient is incapacitated or not available, a covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest.  Finally, if the individual is deceased, a covered entity may share information with a person who was involved in the individual's care or payment for care prior to the individual's death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.”

Gender identity of the patient or the person receiving the information, OCR explained, doesn’t limit or impact who PHI can be disclosed to. The Supreme Court ruling on same-sex marriage was also referenced, as the FAQ said that all lawful marriages fall under the disclosure rules for family members and spouses.

“For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives…the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records,” the FAQ explained. “In this example, a covered entity that does not provide a patient’s lawful spouse with access because of the sex of the spouses would be in violation of the Privacy Rule.”

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Related Content

Healthcare hacker sentenced to 10 years in prison
Ransomware group deploys ticking clock to threaten Georgia hospital
Hackers were inside an Iowa hospital’s network for two weeks
Microsoft: Ransomware hit nearly 400 healthcare entities this year—a 300% rise since 2015
Feds make it official: Change data breach was the largest in healthcare history, impacting 100M
CMS contractor takes $1.2M loss after data breach, DOJ lawsuit

Around the web

Cardiovascular Business
Q&A: MedAxiom CEO explores key trends in cardiologist, cardiovascular surgeon compensation

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”