On October 26, 2017, President Donald Trump directed acting secretary of the Department of Health and Human Services (HHS), Eric D. Hargan, to declare the opioid crisis a nationwide Public Health Emergency under section 319 of the Public Health Services Act, 42 U.S.C. § 247d(a). This announcement indicates that proactive efforts will be directed toward ending the opioid epidemic and helping individuals currently affected. For more information about the implications of the federal public health emergency declaration, as well as state, tribal, and local emergency declarations, view the Network’s Primer on Opioid-related Public Health Emergency Declarations.
As a component of HHS’s efforts to address the opioid crisis, the HHS Office for Civil Rights (OCR) released new guidance on October 27, 2017 to clarify when and how healthcare providers can share a patient’s health information with family members, friends, and legal representatives. As support from family and friends can assist individuals struggling with opioid addiction, informing a patient’s loved ones of their opioid-related issues may be a viable component of their recovery.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) restricts disclosure of individually identifiable health information (known as protected health information or PHI) to protect patient privacy. The HIPAA Privacy Rule is often cited as a reason to refuse access to a patient’s health information, sometimes appropriately, but often not.
As noted in the OCR’s new guidance, misunderstandings about the HIPAA Privacy Rule can create obstacles to the proper care and treatment of people experiencing an opioid-related crisis situation. For example, family members, friends, or caregivers involved in a patient’s care may be improperly denied access to important information while the patient is incapacitated or unconscious. A health care provider may also be reluctant to inform family or close friends of a patient’s opioid overdose for fear of HIPAA-related liability, even if the patient’s likelihood of continued opioid use poses a serious or imminent threat to the patient’s health.
Understanding when and how healthcare providers can share patient information with family members, friends, and legal representatives without violating the HIPAA Privacy Rule is therefore a critical component to addressing the opioid crisis and providing care to those affected.
Under certain circumstances, the Privacy Rule allows health care providers to use professional judgment to determine whether to disclose relevant medical information to friends and family involved in a patient’s care without the patient’s consent. These circumstances include when a patient is incapacitated (including due to an opioid overdose) (see 45 C.F.R. §164.510(a)(3)) or when the disclosure “[i]s necessary to prevent or lessen a serious and imminent threat” to the patient’s health or safety and the person to whom information is disclosed is “reasonably able to prevent or lessen the threat” (see 45 C.F.R. § 164.512(j)(1)(i)). In addition, the HIPAA Privacy Rule allows disclosure of information to a patient’s personal representative (as defined by state law), usually including the parent or guardian of an un-emancipated minor (see 45 C.F.R. § 164.502(g)(3), (5)).
Even under the circumstances described above where the HIPAA Privacy Rule allows disclosure of information relating to a patient’s opioid use, a health care provider must exercise professional judgment in determining whether disclosure is appropriate. When determining whether to disclose data to a personal representative or to family members or friends of an individual who is incapacitated, a health care professional must consider whether disclosure is in the best interests of the patient. Similarly, disclosing information to prevent a serious or imminent threat to a patient’s health is permitted only if the health care provider believes in good faith that the recipient of the information is reasonably able to prevent or lessen the threat.
The OCR’s guidance likewise notes the HIPAA Privacy Rule’s emphasis on individual autonomy. For example, if a patient has capacity to give permission, the health provider must give the patient an opportunity to agree or object to the sharing of health information with others unless the disclosure is necessary to prevent a serious and imminent threat of harm. Because a patient’s decision-making capacity may change after treatment has been administered, health care providers must monitor the patient’s condition closely to stay compliant. In addition, if other applicable federal or state laws provide more stringent protections for PHI than are provided under the HIPAA Privacy Rule, providers are held to the more stringent standards. For example, 42 C.F.R. Part 2 protects the privacy of patients seeking treatment for a substance use disorder and may require protections beyond those required under HIPAA.
This blog was prepared by Hanna T. Ali, J.D. Candidate, Class of 2019, University of Michigan Law School, under the supervision of Colleen Healy Boufides, Staff Attorney, and Denise Chrysler, Director, for the Network for Public Health Law – Mid-States Region Office.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this post does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not necessarily represent the views of, and should not be attributed to, RWJF.