My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with the idea that HIPAA could actually exacerbate and prolong a family member’s agony.
HIPAA is, generally speaking, intended to protect our privacy when it comes to health status, treatment, or payment and to facilitate appropriate access to our health information. But, as is typical with federal laws intersecting areas historically governed by State law, HIPAA defers to State law in some key respects. For example, if a HIPAA provision is contrary to a similar provision of State law, it preempts State law unless the State law relates to the privacy of individually identifiable health information and is “more stringent” than the comparable HIPAA provision. HIPAA also references “applicable law” in describing who can get information as a personal representative of an individual or act on behalf of a deceased individual.
So what does this mean in the context of family members seeking information about loved ones following the devastating Orlando, Florida night club shooting or following some other violent tragedy?
If a victim is hospitalized and a friend or family member is trying to get information about the victim, HIPAA permits the hospital to share information under the following circumstances:
* A hospital may use protected health information (PHI) to notify or assist in the notification of a family member, personal representative or other person responsible for the patient’s care of the patient’s location, general condition or death
* A hospital can use a facility directory to inform visitors and callers of a patient’s location and general condition
* A hospital can release information as to the victim of a crime in response to law enforcement’s request for such information under certain circumstances, and law enforcement can notify the families
* If the patient is competent, the patient can tell the hospital that it may release all information to their family and friends
* If the patient is not competent to authorize release of information, a “personal representative” (a person authorized under State law to act on behalf of the patient to make health care decisions) can have all information necessary to make decisions. That person can also authorize release of information to others
Sadly, the agony of loved ones seeking information about a patient may be prolonged if they are not viewed as family members or if State law does not recognize the loved one as a “personal representative”. Sure, the federal Department of Health and Human Services (HHS) could amend the HIPAA regulations to deem certain individuals (for example, same-sex partners who are not legally married) to be personal representatives for purposes of access to PHI. [Note: HHS treats legally married same-sex spouses as “family members” under HIPAA — see special topic publication available here.]
However, if the State law does not recognize these certain individuals as personal representatives, perhaps because the State law is “more stringent than” HIPAA in affording the patient greater privacy, HHS might also have to amend its HIPAA preemption regulations.
Hospitals and other health care professionals are constantly called upon to exercise discretion in dealing with requests for PHI from family members and loved ones of patients while complying with HIPAA. HIPAA regulations may need to be modified or perhaps could be “waived” (as described yesterday’s Washington Post article) in some cases, but only when doing so furthers the fundamental HIPAA goals of privacy protection and facilitation of appropriate access.
Because of the enormity of the Orlando tragedy, some State legislatures may be expected to consider whether changes are necessary to promote information sharing in exigent circumstances while preserving the State’s interest in affording patients greater privacy protection than that afforded by HIPAA.