As explained in Appendix H of Families Caring for an Aging America, “The set of privacy regulations promulgated under HIPAA, known as the Privacy Rule (45 CFR Part 164), defines the types of uses and disclosures of an individual's health information that are permitted by health care providers and health plans. In other words, it determines who can look at and receive an individual's health information, including family members and friends of the person.”
This means HIPAA does not give family members inherent rights to access a patient's records just by virtue of their relationship. One way family members may access protected health information (PHI) is through the position of a personal representative. “A caregiver who is the individual’s ‘personal representative’ has the authority, under applicable law, to act on behalf of an individual in making decisions related to health care and has the same rights of access.”
Covered entities can share a patient’s health information with family members, like a spouse, if that person is directly involved in care or helping with payment. In real life, this happens often. This could take the form of a partner calling to confirm an appointment, sorting out the pharmacy, or handling the bills. The main thing is that the information shared must stay relevant to the role the family member is playing.
Once PHI is disclosed to them, HIPAA no longer relates to their use or sharing of that information. This means that although spouses and family members can serve as caregivers, the privacy protections stop at the point of disclosure.
HIPAA’s original text does not provide fixed definitions for terms such as marriage, spouse, or family member. Instead, the Department of Health and Human Services (HHS) and the HIPAA Privacy Rule offer guidance that clarifies these terms. It is reflected in the Supreme Court decisions of United States v. Windsor and Obergefell v. Hodges, which expanded federal recognition of same-sex marriages.
A study ‘The effect of same-sex marriage legalization on interstate migration in the United States’ notes the function of these marital definitions, “Access to marriage can motivate people to move. Marriage allows individuals access to more citizenship rights, welfare benefits, tax benefits, health care, social, property, and parental rights than any other form of partnership in the US.”
The term marriage under HIPAA includes all lawful marriages. This means any marriage legally recognized by a state, territory, or foreign jurisdiction will be recognized under HIPAA as long as it would also be recognized within any US jurisdiction. This includes same-sex marriages.
The term spouse refers to any individual who is lawfully married to another person under the prevailing legal standards described above, without regard to sex or gender. This means that spouses in both opposite-sex and same-sex marriages fall within this definition for HIPAA purposes.
Family member is defined more broadly. It includes spouses and dependents of lawful marriages and other relatives connected either by consanguinity (blood relationship) or affinity (relationship by marriage or legal adoption). HIPAA's definition covers first-degree to fourth-degree relatives.
See also: Understanding HIPAA's Military Command Exception
The HIPAA Privacy Rule allows for certain permitted disclosures of PHI to individuals who are considered family members, spouses, or personal representatives. Healthcare organizations can share PHI with a spouse or family member who’s actively involved in the patient’s care, whether that means helping with treatment, arranging appointments, or coordinating follow-up care. Providers can also give updates about a patient’s location, condition, or even death to those family members or a spouse.
When it comes to personal representatives, the rules go a step further. HIPAA requires providers to treat a personal representative as if they were the patient themselves. That means the representative can review medical records, approve disclosures, and exercise the same rights the patient would have under the Privacy Rule.
A Health Matrix: The Journal of Law-Medicine journal article provides an interesting situation, “For example, if the mental health professional determines that the client would have given consent to sharing the requested information with the surviving spouse, and has some prior documentation to that effect, the mental health professional will likely disclose the psychotherapy notes to the surviving spouse.”
If a state grants legally married spouses healthcare decision-making authority on behalf of one another, the Privacy Rule requires covered entities to recognize the lawful spouse of an individual as their personal representative.
See also: Using limited data sets for HIPAA compliance
In the case of United States v. Windsor, the Supreme Court declared section 3 of the Defense of Marriage Act (DOMA) unconstitutional. This particular section of DOMA previously restricted federal recognition of marriages to only opposite-sex unions. The Supreme Court's decision in Windsor expanded federal recognition of rights for individuals in same-sex marriages.
It marked a step towards equal treatment of same-sex couples under federal law. However, while this decision broadened federal recognition, it did not fully resolve the status of these rights under state law. State-level recognition of such marriages continued to vary.
In the subsequent case of Obergefell v. Hodges, the Supreme Court went further to address the issue of same-sex marriage. The Court held that the Fourteenth Amendment to the United States Constitution requires states to both license and recognize marriages between two people of the same sex.
The decision established that same-sex marriages should be legally recognized and protected nationwide. It ensures equal treatment under the law for all couples, regardless of gender. Obergefell v. Hodges provided a clear and consistent standard for recognizing same-sex marriages across all states, ending the legal disparities that had previously existed.
See also: HIPAA Compliant Email: The Definitive Guide
A disclosure of PHI is the release, transfer, provision of access to, or divulging in any other manner of protected health information to an entity or person outside the covered entity.
Yes. Individuals may request an accounting of disclosures of their PHI for up to six years, but certain disclosures are exempt from this requirement.
Covered entities must respond to an individual’s request for access to PHI or an accounting of disclosures within 30 to 60 days, depending on the type of request.