OCR Guidance: SCOTUS Ruling Extends HIPAA Provisions to All Married Couples
Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1
source of timely news and business strategies for safeguarding patient privacy
and data security.
October 2014Volume
14Issue 10
Since the U.S. Supreme Court ruled in
June 2013 that the portion of the federal law defining “marriage” as a legal
union between a man and a woman was unconstitutional, federal agencies have
been reviewing their regulations to see which may need to be altered to grant
certain rights to married gay couples.
Last month, the HHS Office for Civil
Rights (OCR) issued guidance clarifying that, as a result of Windsor v.
United States, the definition of “marriage,” “family” and “dependent” in
the privacy rule was expanded to include same-sex couples who are legally
married.
Given the ruling on the Defense of
Marriage Act, these terms “apply to all individuals who are legally married,
whether or not they live or receive services in a jurisdiction that recognizes
their marriage,” according to the OCR guidance, which was published on Sept.
17.
This expansion is particularly relevant
as it means even states that do not recognize gay marriage must ensure they
honor all HIPAA protections associated with these terms. This can be an issue
particularly for HIPAA covered entities in states that do not permit gay
marriage that draw patients from other states. These include Virginia,
Oklahoma, Utah, Indiana, and Wisconsin.
As the guidance states, “[c]onsistent
with the Windsor decision, the term ‘spouse’ includes individuals who
are in a legally valid same-sex marriage sanctioned by a state, territory, or
foreign jurisdiction (as long as, as to marriages performed in a foreign
jurisdiction, a U.S. jurisdiction would also recognize the marriage). The term
‘marriage’ includes both same-sex and opposite-sex marriages, and ‘family
member’ includes dependents of those marriages.”
Rights Are Not New
The guidance cites two mentions in the
privacy rule where these definitions are relevant, although in practice, CEs
may encounter other circumstances. These are §164.510(b), Standard: Uses and
disclosures for involvement in the individual’s care and notification purposes;
and §164.502(a)(5)(i), Use and disclosure of genetic information for
underwriting purposes.
These rights also should not be new, at
least when it comes to hospital visitation. On Nov. 29, 2010, HHS published a
final rule amending conditions for hospital participation in Medicaid and
Medicare programs that mandate that they, among other requirements, “inform
each patient (or support person, where appropriate) of the right, subject to
his or her consent, to receive the visitors whom he or she designates,
including, but not limited to, a spouse, a domestic partner (including a
same-sex domestic partner), another family member, or a friend, and his or her
right to withdraw or deny such consent at any time.”
They also must not “restrict, limit, or
otherwise deny visitation privileges on the basis of race, color, national
origin, religion, sex, gender identity, sexual orientation, or disability.”
(See https://federalregister.gov/a/2010-29194.)
Marriage Is Marriage
Joseph Lazzarotti, a shareholder in the
Morristown, N.J., office of Jackson Lewis P.C. and part of its privacy,
e-communication and data security practice, tells RPP there’s danger in
CEs taking the guidance too literally.
What CEs shouldn’t do, he says, is
start asking couples who say they are married for a copy of a certificate to
prove the union is legal and double checking what state they were married in.
In a fast-paced health care setting, “you can’t make those determinations and
run your business,” he says. CEs need to ensure that they, or members of their
workforce, are not “all of a sudden putting up barriers” related to same-sex
couples and spouses following the issuance of this guidance.
Any CE whose workers treat married
heterosexual couples differently from gay couples are opening themselves up to
claims of discrimination, says Lazzarotti, who blogs at www.workplaceprivacyreport.com.
Another difficulty for CEs is keeping
up with the legal status of gay marriage across the country. State bans on gay
marriage are overturned and appealed on a regular basis, as happened in Florida
in August. The state’s ban on gay marriage, approved in 2008, has been upheld
in some parts of the state and not others. The Florida Supreme Court is now
being asked to consider taking a case on this topic.
The issue won’t be decided for certain
until the U.S. Supreme Court acts in another gay marriage suit; currently seven
cases are pending before it. Until then, “it really is a mess,” Lazzarotti
tells RPP.
Close Personal Friends Are Permitted
He recommends that HIPAA officials at
CEs “go through the organization and ask, ‘How does this work in our
organization?’” CEs that handle more sensitive information, such as substance
abuse treatment or HIV records, may face more complicated scenarios for the
release of information.
“I don’t want to say nothing would
change” as a result of the guidance, Lazzarotti says. But, he adds, “it really
is based a lot on circumstances. What I would say is it’s probably a good
opportunity for health providers” to review and formalize how they release
information to marriage partners and family members.
If staff members aren’t sure whether an
individual is a legal spouse, they should remember that the privacy rule at 45
CFR 164.510(b), which refers to family members, also allows them to share
information with another category of individuals — that of “close personal
friends.”
As OCR explained in a frequently asked
question in 2006, the rule allows CEs to “disclose to a family member,
relative, or close personal friend of the individual, the protected health
information directly relevant to that person’s involvement with the
individual’s care or payment for care. A covered entity also may make these
disclosures to persons who are not family members, relatives, or close personal
friends of the individual, provided the covered entity has reasonable assurance
that the person has been identified by the individual as being involved in his
or her care or payment.” (See www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_to_friends_and_family/1067....)
Check Your Policies Now
David Holtzman, vice president of
compliance for the consulting firm CynergisTek, Inc., recommends that CEs go
through their policies and procedures to see if they mention spouses, family
members and dependents and see if they conform with the guidance.
The guidance serves to make clear that
“the term spouse and family member take on a very broad meaning,” he adds. “If
you have a policy that [defines] family members or spouses in a state that does
not recognize same-sex marriages, this will impact you.”
Following the Windsor ruling,
CEs “have an obligation to treat folks in accordance with the guidance,”
Holtzman says.
He notes that although the guidance
does not list a date for compliance, CEs should take actions as appropriate
sooner rather than later, as patients or spouses could complain to OCR if they
were denied access or other guaranteed rights.
Compliance Is Now a Little Less Gray
Reece Hirsch, a partner with Morgan,
Lewis & Bockius LLP in San Francisco, says the guidance makes a gray area
of compliance a little less gray. He thinks the guidance may result in some
“tweaks” to the existing standard operating procedures of covered entities.
The guidance “removes any ambiguity”
about whether CEs in states where gay marriage isn’t legal must recognize gay
marriages performed in other states, he says. The guidance makes clear that
they must.
Like Lazzarotti, Hirsch says CEs need
not get caught up in definitions, particularly if they have other ways of
verifying the patients’ relationships. He notes as well that the privacy rule
grants covered entities a lot of latitude to exercise their “professional
judgment” in these matters.
Personal Rep Guidance Is Coming
CEs will want to remain alert for more
guidance — or perhaps rulemaking — stemming from Windsor, and they may
again need to adjust their policies and procedures, this time relating to
personal representatives.
“In the coming months, OCR intends to
issue additional clarifications through guidance or to initiate rulemaking to
address same-sex spouses as personal representatives under the Privacy Rule,”
the guidance states.
Holtzman says CEs can take a look at
their personal representative’s policies now and see how they might be changed
in light of Windsor, although he adds the caution that this area of
HIPAA compliance is complicated by varying state laws that also must be
considered.
No comments:
Post a Comment