HIPAA

When is it OK to disclose PHI? HHS updates its guidance

The Department of Health and Human Services Office of Civil Rights (OCR) recently released a series of clarifying guidance documents on how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosures of protected health information (PHI).

A set of frequently asked questions (FAQ) clarifies that physicians may disclose PHI to a patient’s loved ones, regardless of whether they are recognized as relatives under applicable law. For example, a patient’s unmarried partner is recognized as a relative with whom PHI can be shared.

The FAQs make clear that the permissive disclosures are not limited by the sex or gender identity of the person. The OCR is updating guidance to make clear that the terms “marriage,” “spouse” and “family member” include all lawful marriages—whether same-sex or opposite-sex—lawfully married spouses and the dependents of all lawful marriages.

In addition, OCR and the Office of the National Coordinator for Health Information Technology (ONC) released a fact sheet explaining how HIPAA permits disclosures of PHI to support public health activities conducted by public health agencies, as authorized by state or federal law. It provides a few examples of how to exchange PHI in support of public health policies, for scenarios such as:

  • Reporting of disease
  • Conducting public health surveillance
  • Public health investigations and interventions
  • Exchanges subject to Food and Drug Administration jurisdiction
  • Identifying patients exposed to a communicable disease
  • Supporting medical surveillance of the workplace
  • Using certified electronic health record technology

The AMA has consistently urged policymakers to increase their education efforts to assist physicians in their understanding of how HIPAA permits clinicians to share PHI. The AMA has also created a toolkit on related aspects of HIPAA, which includes requirements around privacy and security.