HIPAA regulations allow health professionals to share health information with a patient’s loved ones in emergency or dangerous situations – but misunderstandings to the contrary persist and create obstacles to family support that is crucial to the proper care and treatment of people experiencing a crisis situation, such as an opioid overdose. This document explains how health care providers have broad ability to share health information with patients’ family members during certain crisis situations without violating HIPAA privacy regulations.2
HIPAA allows health care professionals to disclose some health information without a patient’s permission under certain circumstances, including:
- Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interests of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s health care or payment of care.3 For example, a provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.
- Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.4 For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge. 5
- “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 and, for purposes of this guidance, the HIPAA privacy and security regulations.
- This guidance does not discuss the requirements of other federal or state laws that apply to individuals’ health information, including the federal regulations that provide more stringent protections for the confidentiality of substance use disorder patient records maintained in connection with certain federally assisted substance use disorder treatment programs (42 CFR Part 2 implementing 42 U.S.C. §290dd-2). HIPAA does not interfere with other laws or medical ethics rules that are more protective of patient privacy.
3See 45 CFR §§ 164.510(b)(1)(i) and 164.510(b)(3).
- See 45 CFR 164.512(j)(1)(i).
- HIPAA still requires that a disclosure to prevent or lessen a serious and imminent threat must be consistent with other applicable laws and ethical standards. 164.512(j)(1) . For example, if a state’s law is more restrictive regarding the communication of health information (such as the information can only be shared with treatment personnel in connection with treatment), then HIPAA compliance hinges on the requirements of the more restrictive state law.
HIPAA respects individual autonomy by placing certain limitations on sharing health information with family members, friends, and others without the patient’s agreement.
- For patients with decision-making capacity: A health care provider must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care.6 The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions, and object to sharing the information (generally or with respect to specific people), unless there is a serious and imminent threat of harm to health as described above.7
HIPAA anticipates that a patient’s decision-making capacity may change during the course of treatment.
- Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law. If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information.8
For example, a patient who arrives at an emergency room severely intoxicated or unconscious will be unable to meaningfully agree or object to information-sharing upon admission but may have sufficient capacity several hours later. Nurses and doctors may decide whether sharing information is in the patient’s best interest, and how much and what type of health information is appropriate to share with the patient’s family or close personal friends, while the patient is incapacitated so long as the information shared is related to the person’s involvement with the patient’s health care or payment for such care.9 If a patient’s capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety as described above.10
HIPAA recognizes patient’s personal representatives according to state law.
- Generally, HIPAA provides a patient’s personal representative the right to request and obtain any information about the patient that the patient could obtain, including a complete medical record.  Personal representatives are persons who have health care decision making authority for the patient under state law.12 This authority may be established through the parental relationship between the parent or guardian of an un-emancipated minor, or through a written directive, health care power of attorney, appointment of a guardian, a determination of incompetency, or other recognition consistent with state laws to act on behalf of the individual in making health care related decisions.
For more information visit: https://www.hhs.gov/hipaa
- See 45 CFR 164.510(b)(2).
- See 45 CFR 164.512(j)(1).
- See 45 CFR 164.510(b)(2).
- See 45 CFR 164.510(b)(1)(i).
- See 45 CFR 164.512(b)(2).
 See 45 CFR § 164.502(g).
See generally HHS Office for Civil Rights Guidance on Personal Representatives (providing a chart which explains who must be recognized as a personal representative and the legal exceptions applicable to unemancipated individuals and abuse, neglect and endangerment situations).
Now, from a risk management perspective, I strongly urge providers and staff to document their belief that a threat to health or safety existed and/or it was in the patient’s best interests to share information when the patient has not given consent to the disclosure, and to also document the reason they believed that.
Is it required? No.
Is it extra work? Yes.
Is it likely to save you hours of grief wasted on arguments and confrontations, OCR inquiries, and maybe lawsuits? Yes.