OCR clarifies HIPAA disclosure after Orlando nightclub shooting

HHS’s Office of Civil Rights (OCR) has clarified that HIPAA’s rules on disclosing protected health information (PHI) are not limited by the sex or gender identity of the patient or their loved ones.

The FAQ was in response to confusion around disclosure standards in the wake of the shooting at Pulse Nightclub in Orlando. Orlando’s mayor asked for a HIPAA waiver, claiming certain information couldn’t be released to victims’ families or friends without it. No waiver was needed, according to HHS, and OCR’s new clarification explained when PHI can be disclosed to a patient’s family member, friend, spouse, or partner.

“When making disclosures…a covered entity should get verbal permission from the patient when possible, or otherwise be able to reasonably infer that the patient does not object to the disclosure, before disclosing information to these persons,” the FAQ stated. “If the patient is incapacitated or not available, a covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest.  Finally, if the individual is deceased, a covered entity may share information with a person who was involved in the individual's care or payment for care prior to the individual's death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.”

Gender identity of the patient or the person receiving the information, OCR explained, doesn’t limit or impact who PHI can be disclosed to. The Supreme Court ruling on same-sex marriage was also referenced, as the FAQ said that all lawful marriages fall under the disclosure rules for family members and spouses.

“For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives…the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records,” the FAQ explained. “In this example, a covered entity that does not provide a patient’s lawful spouse with access because of the sex of the spouses would be in violation of the Privacy Rule.”