December 10, 2017

HIPAA and the Opioid Crisis

On the following day, the HHS Office for Civil Rights (“OCR”) issued guidance on HIPAA and the sharing of patient health information relative to the opioid crisis. The guidance is available on the HHS OCR website.[1] The OCR is the federal agency responsible to investigate civil rights, health information privacy, patient safety confidentiality complaints, and to take related enforcement action.

The OCR announcement of the HIPAA opioid guidance states that the agency is releasing new guidance on how and when healthcare providers can share a patient’s information with family members, friends, and legal personal representatives when the patient may be in crisis and incapacitated, such as during an opioid overdose. It is important for healthcare providers to understand which aspects of the guidance specifically relate to patients who are in crisis and incapacitated (i.e., who do not possess decision-making capacity) and those aspects of the guidance which relate to patients with decision-making capacity. This is important because neither HIPAA nor the OCR’s guidance immunize physicians and other healthcare providers from liability for alleged HIPAA violations when treating patients with opioid related conditions.

The OCR announcement states that “[m]isunderstandings about HIPAA can create obstacles to family support that is crucial to the proper care and treatment of people experiencing a crisis situation, such as an opioid overdose.” The OCR announcement acknowledges that HIPAA permits healthcare providers to share information with a patient’s loved ones in certain emergency or dangerous situations. While the OCR’s guidance reminds healthcare providers that HIPAA does not interfere with state laws or medical ethics rules that are more protective of patient privacy, healthcare providers need to understand that they are legally obligated to comply with any state laws that are more protective of patient privacy than HIPAA.

The OCR’s HIPAA opioid guidance begins by noting that the HIPAA regulations allow health professionals to share health information with a patient’s love ones, friends and caregivers, without the patient’s permission, in emergency or dangerous situations. One example cited is a provider exercising professional judgment to talk to the parents of a patient incapacitated by an opioid overdose about the overdose and related medical information. However, the healthcare provider must determine that doing so is (i) in the best interest of a patient who is incapacitated or unconscious, and (ii) the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment for care. Importantly, medical information unrelated to the overdose generally may not be shared in this circumstance without permission.

Another example cited by the OCR, relative to an unconscious or incapacitated patient, is the sharing of healthcare information with persons in a position to prevent or lessen a serious imminent threat to the patient’s health or safety.   The OCR’s example addresses a physician whose patient has overdosed on opioids. The OCR states that such a physician is presumed to have complied with HIPAA if the physician informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse on discharge. The OCR’s guidance on this point is qualified by the agency’s reminder to healthcare providers that HIPAA continues to require compliance with state laws that are more protective of patient privacy, even in this circumstance.

The second point addressed by the OCR in its guidance is that HIPAA respects individual autonomy by placing certain limitations on sharing health information with family members, friends and others without the patient’s agreement. This statement concerns patients with decision-making capacity. When patients have decision-making capacity, the OCR reminds healthcare providers that they must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care.   Further to the point, the OCR states that a healthcare provider is not permitted to share health information about patients who currently have decision-making capacity and object to sharing the information, unless there is a serious and imminent threat of harm to health.

The third topic addressed by the OCR is that HIPAA anticipates that a patient’s decision-making capacity may change during the course of treatment. For example, once a patient who was incapacitated or unconscious regains decision-making capacity, a healthcare provider must provide the patient with the opportunity to agree or object before there is any additional sharing of health information. The OCR guidance confirms that if a patient’s capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety as described above.

The OCR’s guidance on the third topic ties to guidance previously published by the agency providing that if the patient is present and has the capacity to make decisions, a health care provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object.  A health care provider also may share information with these persons if, using professional judgment, he or she decides that the patient does not object.  One example the OCR furnishes in this prior guidance is that an emergency room physician may discuss a patient’s treatment in front of the patient’s friend if the patient asks the friend to come into the treatment room. In either case, the OCR reminds providers that they may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care.

The final point addressed by the OCR in its HIPAA opioid guidance is that HIPAA recognizes a patient’s personal representatives and permits them to request and obtain any information about the patient that that patient could obtain. HIPAA recognizes a patient’s personal representatives in accordance with state law. Examples of personal representatives include parents or legal guardians of unemancipated minors, as well as persons with medical decision-making authority for another under a durable power of attorney for healthcare or similar surrogate decision-making authority recognized by state law.

In conclusion, it is important and appropriate for the OCR to continue to educate healthcare providers and to clear the air of misconceptions over HIPAA, particularly in relation to national public health emergencies. The government’s HIPAA opioid guidance acknowledges that misunderstanding over HIPAA’s complex and technical rules persist. While the agency’s guidance should be helpful to healthcare providers, the OCR unfortunately failed to go to the next step and affirmatively address its enforcement policies and practices when it is alleged that health care professionals treating patients for conditions involving opioids have violated HIPAA.

[1] – PDF


Practice Areas

Health Care Law