Aegis Compliance & Ethics Center, LLP
OCR Clarifies Provider Communication with Loved Ones after Opioid Abuse
Following the Trump Administration’s declaration of the opioid crisis as a public health emergency late last year, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released guidance clarifying how HIPAA regulations allow health care professionals to share protected health information (“PHI”) with the family, friends, or caregivers of a patient who has overdosed on opioids. The guidance explains several existing HIPAA regulations that give healthcare providers room for judgement in cases of emergency or where a patient’s health or safety is threatened. OCR also provides concrete examples of hypothetical situations to illustrate how HIPAA provides such latitude to providers. In short, OCR’s guidance explains how healthcare providers may disclose PHI without a patient’s permission in certain scenarios.
Under Certain Circumstances, Providers may Disclose PHI without a Patient’s Permission
HIPAA has a limited exception allowing providers to share PHI related to an incapacitated or unconscious patient. If a patient is unconscious or incapacitated and thus does not have decision-making capacity, HIPAA gives healthcare providers room for judgement to determine whether sharing PHI about the patient with family or close friends is in the patient’s best interest. This exception does not, however, give healthcare providers free reign to share all healthcare information pertaining to a patient. For the exception to apply, the provider must only share PHI that is directly related to the family or friend’s involvement in the patient’s health care or payment for that care. Thus, OCR indicates in the guidance that providers may use their judgement to share PHI related to an opioid overdose, but does not allow providers to share PHI unrelated to the overdose without permission.
HIPAA also allows providers to share PHI with persons in a position to prevent or lessen a serious threat to a patient’s health or safety. Unlike the exception discussed above, the patient does not need to be unconscious or incapacitated for the exception to apply. OCR explains in its guidance that a doctor is presumed to comply with HIPAA when he or she shares with the family, friends, or caregivers of a patient who has overdoses on opioids details about the opioid abuse, if he or she determines that the patient poses a threat to his or her health through continued abuse after discharge.
OCR Recognizes that Decision-Making Capacity can Change
HIPAA requires that a healthcare provider give patients with decision-making capacity the opportunity to agree or object to sharing PHI with family, friends and others involved in the patient’s care or treatment. This requirement can prove difficult for providers to comply with, especially in medical emergencies such as an opioid overdose where decision-making capacity can change from day-to-day or even from hour-to-hour. The OCR guidance clarifies that in such cases, physicians and nurses can decide when sharing PHI with a patient’s family or friends is in the patient’s best interests, if the information shared is related to that person’s involvement with the patient’s health care or payment for such care and the patient is incapacitated or unconscious. However, as soon as a patient regains consciousness and decision-making capability, healthcare providers must offer the patient the opportunity to agree or object before sharing any further information.
OCR Explains how State Law Impacts Information Sharing
The OCR guidance also emphasizes the role of state law in the application of how provider can and can’t share PHI with friends and family in the aftermath of an opioid overdose. HIPAA gives a patient’s personal representative the right to request and obtain PHI about the patient that the patient could receive, including a complete medical record. Because personal representatives are established under state law, the persons afforded this right may vary from state to state. Additionally, healthcare providers should keep in mind that many states impose additional restrictions on how healthcare providers may share health information, meaning that HIPAA is often only the minimum standard that providers must follow. A careful understanding of obligations imposed by the state in which the healthcare provider renders treatment is crucial for full compliance with applicable regulations related to health information privacy.
The OCR guidance illustrates the importance of clear, well-written policies and procedures, as well as thorough training and an effective compliance hotline. Not only can such measures ensure that workforce members understand their obligations under HIPAA but they also ensure that family members, friends and caregivers receive appropriate information about an opioid overdose so that they can act accordingly. Maintaining an effective compliance hotline can bring suspected incidents of non-compliance to the attention of those who can administer corrective action or additional training. As the current administration has prioritized opioid abuse, compliance departments should, in turn, ensure that privacy compliance controls are appropriate, especially when it comes to situations involving drug abuse and overdoses.