The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule  to carry out specific purposes and under certain circumstances.

For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose.  Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.

The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.

Disclosure to Family, Friends, and Others Involved in an Individual’s Care and for Notification

  1. The Privacy Rule permits covered entities to share PHI with a patient’s family, relatives, close friends, or other persons identified by the patient as involved in the patient’s care in the following situations:
    • If a patient is present for, or otherwise available prior to, this permitted use or disclosure and has the capacity to make health care decisions:
      • A covered entity may use or disclose the PHI if it (1) obtains the patient’s consent, (2) provides the patient with the opportunity to object to the disclosure and the patient does not object, or (3) reasonably infers from the circumstances, based on professional judgment, that the patient does not object to such disclosure.
    • If a patient is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the patient’s incapacity or an emergency circumstance:
      • A covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the patient and, if so, disclose only the PHI that is directly relevant to the person’s involvement with the patient’s care related to the patient’s health care or needed for notification purposes.
    • If a patient is deceased:
      • A covered entity may disclose PHI to those persons described above who were involved in the patient’s care prior to the patient’s death so long as such disclosure is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed patient preference known to the covered entity.
  1. Covered entities may also share PHI as necessary to identify, locate, and notify, or assist in the notification of, family, personal representatives, or anyone else responsible for the patients’ care regarding the patient’s location, general condition, or death.
    • In addition to the requirements described in (1) above, a covered entity may disclose PHI to a public or private entity authorized by law or its charter to assist in disaster relief efforts. Such disclosures must follow the aforementioned requirements to the extent that a covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances.

More information for individuals, family, and friends is available at:

OCR offers health care professionals FAQs on Disclosures to Friends and Family Members at:

Disclosures to Media or Others Not Involved in the Care of the Patient/Notification

Except when a patient objects in advance, a covered entity may release limited facility directory information to persons who request such information about a patient by name.    The information is limited to:

  1. The patient’s name;
  2. The patient’s location in the covered entity’s facility; and
  3. The patient’s condition described in general terms that does not communicate specific medical information about the individual (e.g., the patient is critical or stable, deceased, or treated and released, etc.).

OCR offers an FAQ on disclosures to the media at:

If you have any questions about these uses and disclosures or HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team or Information, Privacy, Security and Governance Team.