Since Sunday’s horrific shooting in Orlando that killed 49 people and injured 53 patrons at the Pulse night club, journalists have been asking whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) limits what hospital administrators can say about a patient’s condition.
One source of confusion was a statement made by Orlando Mayor Buddy Dyer after the June 12 attack. He said he requested a waiver of HIPAA privacy rules so that Orlando hospital officials could release patient’s personal health information (PHI) to family members. But Roxane Beharry, a public affairs specialist (on detail) for the federal Office for Civil Rights at the Department of Health and Human Services, said there was no need for a waiver. The office investigates complaints involving health information privacy and patient safety confidentiality complaints.
“HIPAA allows health care professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances,” Beharry wrote in an email. “These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition. Disclosures are permissible to same sex, as well as opposite sex, partners.”
Under the HIPAA Privacy Rule (section 45 CFR 164.510), Beharry outlined the permitted uses and disclosures of health information including:
- Disclosure to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care;
- Disclosure to assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.
Michael Arrigo, a HIPAA consultant and expert witness in HIPAA cases with the health care consulting firm No World Borders, agrees. The federal statute, 45 CFR 164.510(a)(3)(i)(B), provides that in “emergency circumstances” if a patient is incapacitated, then a disclosure is permitted if it’s in the individual’s best interest as determined by what HIPAA calls a “covered entity” (meaning a hospital, in this case) and in the exercise of the entity’s professional judgment, he said.
Hospital administrators often are concerned about the possibility of violating HIPAA’s Privacy Rule since unauthorized release of a patients’ PHI can result in criminal penalties and civil fines as high as $50,000, wrote CNN’s Jacqueline Howard in thorough report on the issues. Wired’s Sarah Zhang and Modern Healthcare’s Joseph Conn also did a great job explaining the details.
In any event, hospitals should have information disclosure policies in place long before a disaster strikes, Arrigo said. Therefore, it’s likely that Orlando hospitals were simply following their own procedures.
Still, hospitals can identify next of kin through intake forms, he wrote. But such forms would not be completed for most patients suffering severe trauma because they go directly into treatment. And if a patient cannot communicate, a hospital normally would not be authorized to share information, he added.
Regardless of circumstances, hospitals can release patient’s information as long as they have each patient’s agreement to speak with family members or friends involved in the patient’s care, Arrigo explained, citing the HIPAA Privacy Rule (45 CFR 164.510(b)).
In Orlando, many of the victims were members of the LGBT community. Hospital officials may have wanted to demonstrate more care in determining who was a blood relative, a partner or a friend. “Under the HIPAA Privacy Rule, a person authorized to act on behalf of the individual in making health care related decisions is the individual’s ‘personal representative,’” Arrigo wrote. In 45 CFR 164.510(b), the privacy rule addresses situations in which family members or others involved in the individual’s health care or payment for care could receive protected health information about the individual even if not expressly authorized to act on the individual’s behalf, he explained.
(Editor’s note: This post was updated on July 1 to more specifically reflect Beharry’s position with OCR.)