HIPAA does not apply to spouses and common law partners in a way that means they have to safeguard Protected Health Information shared with them by a healthcare professional. However, the HIPAA Privacy Rule stipulates when it is permissible for a healthcare professional to disclose a patient’s health information to a spouse, partner, or other family member.
In many cases, healthcare professionals need to know does HIPAA apply to spouses and common law partners to be sure they are not violating HIPAA by impermissibly disclosing PHI when a spouse or partner accompanies a patient to an appointment. The answer to this question can be found in §164.510 of the HIPAA Privacy Rule – “Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object”.
Under the section of this subpart entitled “Disclosures for Involvement in the Individual’s Care”, the HIPAA Privacy Rule allows disclosures of PHI with the patient present if the healthcare professional either obtains the patient’s agreement, provides the patient with an opportunity to object that the patient does not take advantage of, or can reasonably infer from the circumstances that the patient does not object.
If the patient is not present – for example, because they are incapacitated – healthcare providers can use their professional judgement and experience to determine if it is in the patient’s best interests to disclose PHI to a spouse or partner. In this scenario, a healthcare provider is only permitted to disclose PHI that is directly relevant to the patient’s care, payment for the care, or for notification purposes.
Other Scenarios in Which Disclosures are Permitted
Other scenarios in which disclosures of PHI to spouses and common law partners are permitted include when a patient has died and when a spouse or partner has medical power of attorney on behalf of a patient. However, in both circumstances, healthcare providers can refuse to disclose PHI if the disclosure is contrary to any previously expressed instruction or if the disclosure is not considered to be in the patient’s best interests.
Healthcare providers are also permitted to use their professional judgement and experience to disclose PHI to spouses and partners if the disclosure will “avert a serious threat to health and safety” (§164.512(j)). In this scenario, the disclosure of PHI is only permissible under certain circumstances, and must be consistent with applicable laws and ethical standards. For example, removing the patient’s children from the family home for safety reasons.
With regards to verifying the identity of a spouse or partner before disclosing PHI, §164.514(h) of the Privacy Rule excludes disclosures permitted by §164.510 and §164.512(j) from the verification requirements. However, healthcare providers can, if they wish, require proof of identity before disclosing PHI to any individual claiming to be a patient’s spouse, partner, or family member with medical power of attorney.
Incidental Disclosures of PHI to Spouses and Partners
In certain circumstances, PHI relating to a patient’s health condition – or treatment for the condition – may be maintained in a spouse’s designated record set – for example, if one partner is at risk from experiencing an allergic reaction to the other partner’s medication. In such cases, one partner would be able to see some of their partner’s PHI when they exercise their HIPAA right to access and review PHI maintained by a healthcare provider.
Disclosures of this nature are defined as incidental disclosures and are permitted by the Privacy Rule (§164.502(a)(iii)). Nonetheless, healthcare providers are advised to exercise caution with regards to what information relating to spouses, partners, and other family members is included in a patient’s designated record set in order to avoid unjustified privacy complaints being escalated to HHS’ Office for Civil Rights.
Determining when does HIPAA apply to spouses’ designated record sets is further complicated by the new “attestation standards” relating to reproductive health (§164.509). Healthcare providers concerned about complying with the new attestation standards, or with further questions about when does HIPAA apply to spouses and common law partners, are advised to seek HIPAA compliance guidance.