HIPAA and Marriage: Understanding Spouse, Family Member, Marriage, and Personal Representatives in the Privacy Rule
The HIPAA Privacy Rule contains several provisions that recognize the integral role that family members, such as spouses, often play in a patient’s health care. For example, the Privacy Rule allows covered entities to share information about the patient’s care with family members in various circumstances. It also generally requires covered entities to treat an individual’s personal representative, who may be a spouse, as the individual, for purposes such as exercising the individual’s rights under the Privacy Rule, including the right to access the individual’s health information. In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which also includes certain information about family members of the individual, for underwriting purposes.
On June 26, 2013, in United States v. Windsor, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional. Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. This decision expanded federal recognition of the rights of individuals in same-sex marriages, but did not resolve the status of such rights under state law. Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.
In light of the Windsor and Obergefell decisions, this guidance makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. This guidance also updates and expands on related guidance issued in September 2014.
Marriage, Spouse, and Family Member
The definition of family member in the Privacy Rule at 45 CFR 160.103 includes the terms spouse and marriage. The term marriage includes all lawful marriages. A lawful marriage is any marriage sanctioned by a state, territory, or a foreign jurisdiction as long as a U.S. jurisdiction would also recognize the marriage performed in the foreign jurisdiction. The term spouse includes all individuals who are in lawful marriages without regard to the sex of the individuals. The term family member includes lawful spouses and dependents of all lawful marriages. In addition, the terms marriage, spouse, and family member apply to all individuals who are legally married, regardless of where they live or receive health care services.
- The definition of a family member is relevant to the application of §164.510(b) regarding permitted uses and disclosures of PHI related to another person’s involvement in an individual’s care, and for making notifications about the individual’s location, general condition, or death. Under certain circumstances, covered entities are permitted to share an individual’s protected health information with a family member of the individual. Legally married spouses are family members for the purposes of applying this provision.
- The definition of a family member is also relevant to the application of §164.502(a)(5)(i) regarding the uses and disclosures of genetic information for underwriting purposes. This provision prohibits health plans, other than issuers of long-term care policies, from using or disclosing genetic information for underwriting purposes. For example, health plans may not use information regarding the genetic tests of a family member of the individual, or the manifestation of a disease or disorder in a family member of the individual, in making underwriting decisions about the individual. This includes the genetic tests of a lawful spouse of the individual, or the manifestation of a disease or disorder in the lawful spouse of the individual.
Subject to limited exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information and for purposes of exercising the individual’s rights under the Privacy Rule. For example, a personal representative of an individual is able to review and obtain a copy of the individual’s medical record or authorize disclosures of protected health information. In determining who is considered a personal representative, and thus able to act on behalf of an individual and exercise the individual’s rights under HIPAA, the Privacy Rule generally looks to state laws governing which persons have authority to act on behalf of an individual in making decisions related to health care.
Under the Privacy Rule, if a state provides legally married spouses with health care decision making authority on behalf of one another, a covered entity is required to recognize the lawful spouse of an individual as the individual’s personal representative without regard to the sex of the spouses.
OCR has issued a FAQ explaining that, under the HIPAA Privacy Rule, disclosures to a loved one who is not married to the patient or is not otherwise recognized as a relative of the patient under applicable law generally are permitted under the same circumstances and conditions as disclosures to a spouse or other person who is recognized as a relative under applicable law. The FAQ, while applicable in a variety of circumstances, was developed in large part to address confusion following the 2016 Orlando nightclub shooting about whether and when hospitals may share protected health information with patients’ loved ones. The FAQ emphasizes that HIPAA does not limit any permitted disclosures based on the sex or gender identity of the recipient of the information. The FAQ may be found at: http://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html