Conduro Ventures
Healthcare Information Security Consultants


News & Insights

When Can HIPAA be Waived?

In light of the recent Florida tragedy, the news was filled with reports surrounding the topic of patient privacy, and in particular, whether or not HIPAA was waived in an attempt to help people find out information about their loved ones. While many sources reported that Orlando Mayor, Buddy Dyer had contacted the White House to waiver HIPAA, the U.S. Department of Health and Human Services (HHS) later confirmed that this was not required. Understandably, this lead to confusion about when a patient’s health information can be disclosed, and to whom.

The law states that it is possible to disclose a patient’s health information if it is determined to be in their best interest. By doing so, it is possible to help identify incapacitated patients and locate their next of kin.

Those working in the healthcare industry will be well aware that releasing a patient’s medical information without consent can have serious repercussions, but sometimes a failure to disclose such information to friends and family can carry more severe consequences.

One such case was Sean Meyers; who was admitted to the ER at Inova Fairfax Hospital following a car accident. Despite his condition, hospital staff would only disclose the very bare minimum of information to his parents. In the next ten days, Sean remained in the hospital but there was still no real communication established between the staff and his parents about his condition or care.

Although Sean was discharged to recover at home, a week later, Sean sadly passed away due to a heart problem and blood clots; something his parents felt exceptionally heartbroken about as they feel that it may have been possible to save his life had they spoken to them. Sean’s family have a history of blood clots – this vital information could have prevented his death, had his condition and care been discussed with his next of kin.

Although this case demonstrates how damaging it can be to withhold health information from a patient’s next of kin, it seems that more hospitals and healthcare providers are becoming increasingly reluctant to communicate effectively with patients’ family and friends, for fear of violating HIPAA’s increasingly stringent rules.

The fear of huge financial penalties, legal action and reputational damage is impounded further when authoritative industry figures advise others to err on the side of caution. Jane Hyatt Thorpe, Associate Professor at George Washington University’s department of health policy, says: “For healthcare providers that are uncertain about the information they may or may not share, the easiest and safest route is often to just say no”.

Information may not be shared either because medical staff have withheld details, or patients themselves have chosen to restrict who can access their medical information. However, the law can be fairly lenient regarding the disclosure of information to a patient’s family members in certain circumstances.

Despite the conflicting messages, a health provider may disclose details of a patient to family and friends at their own discretion, without breaching HIPAA rules, providing one of the following is adhered to:

  • the person/s requesting information are involved in the individual’s health care or payment of the health care;
  • the patient tells the provider or plan that it can do so;
  • the patient does not object to the sharing of their information;
  • when using professional judgment, the provider believes it is in the best interest of the patient.

There could, however, come a time where an individual becomes legally, or otherwise, incapable of exercising their rights. In these circumstances, HHS suggests that an individual designates another person to act on their behalf with regard to their rights. This person is referred to as the ‘personal representative’.

But it can get confusing when an individual has not expressed that they wish to waive the protection offered by HIPAA, that will allow the specifically designated “personal representative” to gain access to their otherwise private health information. Should a family member attempt to bypass HIPAA rules through the use of an attorney, usually in the event of a medical emergency, the patient must have already outlined in their power of attorney for healthcare that they give permission for their medical information to be released. As healthcare providers are not required to disclose an individual’s information with their family and friends unless they have been assigned as a personal representative, individuals may want to consider carrying a signed document that authorizes health care providers to disclose and discuss their information with a personal representative.

The bottom line is, HIPAA can be a minefield, and healthcare professionals should still think twice before sharing PHI.

By Gene Fry

Originally Published June 4, 2016
The Compliance & Ethics Blog
When Can HIPAA be Waived?