There has been confusion regarding HIPAA Rules on sharing patient information to others in case of opioid overdose. The U.S. Department of Health and Human Services’ Office for Civil Rights wanted to clarify the issues to ensure that healthcare providers are doing what is right. According to the HIPAA Privacy Rule, healthcare providers are allowed to share limited PHI during emergency situations, such as when natural disasters and drug overdoses occur, if doing so will help avoid or reduce serious threat to patient’s life.
The HIPAA Privacy Rule is often misunderstood by healthcare providers. Many believe that they need to ask permission from the patient first before disclosing any PHI to his loved ones or caregivers. This is not so at all times. When a patient suffers from drug overdose or any life-threatening situations, the healthcare provider may share limited PHI to his loved ones without asking permission from the patient.
In case of opioid overdose, here’s the guiding principle for deciding whether the healthcare provider can share PHI or not with the patient’s family and friends:
- When the patient is unconscious or incapacitated, the healthcare provider may decide to share with loved ones limited PHI if he deems it necessary for the patient’s best interests. Only directly related information to patient care or payment of care can be shared. Sharing of other information needs permission from the patient first.
- Sharing information about continued use of opioid after discharge, for example, is allowed if it will reduce serious threat to patient’s health.
- If the patient is conscious or not incapacitated and can make his own decisions, the healthcare provider must allow the patient to decide whether to disclose the overdose to family, friends and caregivers. If sharing of information is denied by the patient, healthcare providers cannot share the information unless there is serious threat to patient’s health.
- If the patient is just temporarily incapacitated and can make decisions after recovering from the treatment, it is up to the healthcare provider to determine whether to share PHI and how much. When the patient becomes conscious, the healthcare provider must get permission first before disclosing any healthcare data.
- With regards to the governing state laws or medical ethics rules that protect patient privacy, OCR states that these rules apply without conflicting with the HIPAA Rules.