Clarification on HIPAA Rules on Sharing Patient Information on Opioid Overdoses Issued by OCR

Patient Information

The confusion about HIPAA Rules on sharing patient information on opioid overdoses has been clarified by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

The HIPAA Privacy Rule allows healthcare groups to share limited PHI in specific cases of emergency and danger. Those situations include emergencies like natural disasters and during drug overdoses, if sharing data can stop or minimize a serious and imminent threat to a patient’s health or safety.

Some healthcare groups have misunderstood the HIPAA Privacy Rule provisions, and believe authorization to disclose information to the patient’s loved ones or caregivers must be recieved from the patient before any PHI can be shared.

In an emergency or crisis situation, such as during a drug overdose, healthcare providers are allowed to distribute limited PHI with a patient’s loved ones and caregivers without authorization first having been obtained from the patient.

When an opioid overdose occurs, healthcare providers can share health information with the patient’s family members, close friends, and caregivers if:

  • The healthcare provider decides, based on professional judgement, that sharing details about an incapacitated or unconscious patient is in the best interests of that patient, provided the information shared is restricted to that directly related to the individual’s involvement in the patient’s care or payment of treatment. Information on the overdose can be accessed, but not unrelated health information unless permission has been given.
  • Informing the above people would assist in stopping or lessen a serious threat to the patient’s health and safety – such as continued opioid abuse on discharge.

In instances when a patient is not unconscious or incapacitated and has decision-making capability, healthcare providers must give the patient the opportunity to refuse the disclosure of their overdose to family members, close friends, caregivers, or individuals involved in the payment for treatment. If a patient has decision making capability, or if authorization to share the information is refused, healthcare providers cannot share information unless “there is a serious and imminent threat of harm to health.”

There will be instances when a patient is only incapacitated briefly, and their decision-making capability will reutrn during the course of treatment. In such cases, it is left at the discretion of the healthcare provider whether health information is shared while the patient is incapacitated, the type of data that is shared, and how much of it. When the patient return to full capacities and decision-making capability, permission must then be received before any further disclosures of health information are given

OCR also points to the fact that it is not only HIPAA Rules that may apply in such a scenario, outlining “HIPAA does not interfere with state laws or medical ethics rules that are more protective of patient privacy.”