August 26, 2015
Protecting access to patient information is a critical protection for every practice; one with significant ramifications for failure - monetary, reputational and punitive. In the aftermath of Windsor, a recent same-sex marriage determination the Office for Civil Rights issued a Special Topic bulletin clarifying to include same-sex marriage under the definition of "spouse" and to expand "family member" definition - 

At 45 CFR 160.103, the Privacy Rule includes the terms spouse and marriage in the definition of family member.  Consistent with the Windsor decision, the term spouse includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as, as to marriages performed in a foreign jurisdiction, a U.S. jurisdiction would also recognize the marriage).  The term marriageincludes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages.  All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage. 

Now of course the above was inferred by the recent same-sex marriage decisions.  The next obvious question when discussing HIPAA related disclosures (in my mind at least) is how do we confirm familial relationship?  In accordance with HIPAA, you do not have an obligation to - 

If a patient’s family member, friend, or other person involved in the patient’s care or payment for care calls a health care provider to ask about the patient’s condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?


No.  If the caller states that he or she is a family member or friend of the patient, or is involved in the patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case.  However, a health care provider may establish his or her own rules for verifying who is on the phone.  In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.

 Now, the issue I have with the above is if a disclosure is made to a "family member" without confirmation and the practice is reported, you can be sure a "breach" will be potentially levered against you.  Despite the reassurance by OCR that you do not have to confirm identity, I strongly urge you to abide by Red Flags Rules protocol and confirm relation and identity before divulging. 

For a Red Flags Policy, click here
Recent Webinars (Click to view anytime!) - 

I-STOP Implementation - Common Q&As

Looking for HIPAA and compliance forms?  
Click here to visit 
our website.

Have a question or comment for Jennifer?
Contact Jennifer at or  at (516) 747-6700 x. 302.