Privacy & Cybersecurity Law Blog

On October 3, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement clarifying when protected health information (“PHI”) can be shared with family, friends and others. This announcement, prompted by the recent mass shooting in Las Vegas, outlines the purposes for which PHI can be disclosed to these parties pursuant to HIPAA and the conditions that apply, which are summarized below:

• Disclosures to Family, Friends and Others Involved in an Individual’s Care and for Notification. A “covered entity” (i.e., health care providers, health plans, and health care clearinghouses covered by HIPAA) may disclose PHI to a patient’s family members, relatives, friends or other persons identified by the patient as involved in his or her care. A covered entity may also share PHI regarding the patient as necessary to identify and locate individuals responsible for the patient’s care and notify them of his or her location, general condition or death. When possible, covered entities should obtain verbal permission to share PHI from an individual (or otherwise be able to infer that he or she does not object). When this is not possible, covered entities may rely on professional judgement and experience to determine whether PHI should be shared in the patient’s best interest. Covered entities may also share PHI with disaster relief organizations, even without the patient’s permission, if obtaining the patient’s permission would interfere with the organization’s ability to respond to the emergency.
• Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification. Hospitals and health care facilities may, upon a request for information about a particular patient by name, release limited facility directory information to acknowledge that a patient is present at the facility and provide general information on his or her condition (e.g., critical or stable). This information may be shared if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, when the covered entity believes the disclosure to be in the patient’s best interest and consistent with any prior expressed preferences. More specific disclosures (e.g., test results, illness details) or affirmative disclosures to the media or public, however, generally require a written authorization.
• Minimum Necessary. For most disclosures, covered entities must make reasonable efforts to disclose only the “minimum necessary” PHI required to accomplish the purpose for which the disclosure is made (importantly, treatment purposes are exempt from this requirement). Covered entities may rely on representations made by a public health authority or other public official that the information requested is the minimum necessary for the purpose of the requested disclosure.