Updated HIPAA Privacy Rule Guidance on Sharing Information with Loved Ones

Accidents, sudden illness, and hospitalization of a family member are stressful incidents for individuals and their loved ones.  Uncertainty regarding the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rules’ restrictions on the sharing of information with certain family members or loved ones sometimes adds to that stress.  Earlier this year, in an effort to clarify previous guidance, the United States Department of Health and Human Services (“HHS”) updated its guidance and FAQs on the interplay between HIPAA, state law, and the sharing of information with spouses, family members, loved ones, and personal representatives. 

HHS’s guidance, HIPAA and Marriage: Understanding Spouse, Family Member, Marriage, and Personal Representatives in the Privacy Rule, clarified the meaning of the terms “marriage”, “spouse”, and “family member” in the HIPAA Privacy Rule “to include all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages.”[1]  According to HHS, a lawful marriage is “any marriage sanctioned by a state, territory, or a foreign jurisdiction as long as a U.S. jurisdiction would also recognize the marriage performed in the jurisdiction.”[2]  Furthermore, “the terms marriage, spouse, and family member apply to all individuals who are legally married, regardless of where they live or receive health care services.”[3]  As a result, if a patient legally married an individual of the same sex in Iowa, and later received health care services in Nebraska, the patient’s spouse should be treated as a spouse under Nebraska law for purposes of the HIPAA Privacy Rule.

The HIPAA Privacy Rule generally defers to the law of the state where the patient is receiving care to determine the authority of a personal representative.  HHS’s updated FAQ, “Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with a person who is not married to the patient or is otherwise not recognized as a relative of the patient under applicable law (e.g., state law)?”, helps to clarify who may be recognized as the personal representative.  In the FAQ, HHS’s Office for Civil Rights explains:[4]

a covered entity may not deny a personal representative, as defined in 45 CFR 164.502(g), the rights afforded to the personal representative under 45 CFR 164.502(g) of the Privacy Rule for any reason, including because of the sex or gender identity of the personal representative. For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives under 45 CFR 164.502(g), the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records.

As a result, if a health care provider (or other covered entity) declined to provide a patient’s lawful spouse with the patient’s information merely due to the gender identity or sex of the spouse, such provider could violate the HIPAA Privacy Rule.  Violating the HIPAA Privacy Rule can lead to a complaint, investigation, and enforcement action by the Office for Civil Rights.

If you are a covered entity, patient, or loved one and you have questions about the sharing of certain information, please contact Molly Driscoll or any BrownWinick attorney in the Health Law Practice Group.