When Can HIPAA be Waived?


When Can HIPAA Waived?

Gene - 350dpiBy Gene Fry

In light of the recent Florida tragedy, the news was filled with reports surrounding the topic of patient privacy, and in particular, whether or not HIPAA was waived in an attempt to help people find out information about their loved ones. While many sources reported that Orlando Mayor, Buddy Dyer had contacted the White House to waiver HIPAA, the U.S. Department of Health and Human Services (HHS) later confirmed that this was not required. Understandably, this lead to confusion about when a patient’s health information can be disclosed, and to whom.

The law states that it is possible to disclose a patient’s health information if it is determined to be in their best interest. By doing so, it is possible to help identify incapacitated patients and locate their next of kin.

Those working in the healthcare industry will be well aware that releasing a patient’s medical information without consent can have serious repercussions, but sometimes a failure to disclose such information to friends and family can carry more severe consequences.

One such case was Sean Meyers; who was admitted to the ER at Inova Fairfax Hospital following a car accident. Despite his condition, hospital staff would only disclose the very bare minimum of information to his parents. In the next ten days, Sean remained in the hospital but there was still no real communication established between the staff and his parents about his condition or care.

Although Sean was discharged to recover at home, a week later, Sean sadly passed away due to a heart problem and blood clots; something his parents felt exceptionally heartbroken about as they feel that it may have been possible to save his life had they spoken to them. Sean’s family have a history of blood clots – this vital information could have prevented his death, had his condition and care been discussed with his next of kin.

Although this case demonstrates how damaging it can be to withhold health information from a patient’s next of kin, it seems that more hospitals and healthcare providers are becoming increasingly reluctant to communicate effectively with patients’ family and friends, for fear of violating HIPAA’s increasingly stringent rules.

The fear of huge financial penalties, legal action and reputational damage is impounded further when authoritative industry figures advise others to err on the side of caution. Jane Hyatt Thorpe, Associate Professor at George Washington University’s department of health policy, says: “For healthcare providers that are uncertain about the information they may or may not share, the easiest and safest route is often to just say no”.

Information may not be shared either because medical staff have withheld details, or patients themselves have chosen to restrict who can access their medical information. However, the law can be fairly lenient regarding the disclosure of information to a patient’s family members in certain circumstances.

Despite the conflicting messages, a health provider may disclose details of a patient to family and friends at their own discretion, without breaching HIPAA rules, providing one of the following is adhered to:

  • the person/s requesting information are involved in the individual’s health care or payment of the health care;
  • the patient tells the provider or plan that it can do so;
  • the patient does not object to the sharing of their information;
  • when using professional judgment, the provider believes it is in the best interest of the patient.

There could, however, come a time where an individual becomes legally, or otherwise, incapable of exercising their rights. In these circumstances, HHS suggests that an individual designates another person to act on their behalf with regard to their rights. This person is referred to as the ‘personal representative’.

But it can get confusing when an individual has not expressed that they wish to waive the protection offered by HIPAA, that will allow the specifically designated “personal representative” to gain access to their otherwise private health information. Should a family member attempt to bypass HIPAA rules through the use of an attorney, usually in the event of a medical emergency, the patient must have already outlined in their power of attorney for healthcare that they give permission for their medical information to be released. As healthcare providers are not required to disclose an individual’s information with their family and friends unless they have been assigned as a personal representative, individuals may want to consider carrying a signed document that authorizes health care providers to disclose and discuss their information with a personal representative.

The bottom line is, HIPAA can be a minefield, and healthcare professionals should still think twice before sharing PHI.

[clickToTweet tweet=”When Can HIPAA be Waived? @theHCCA” quote=”When Can HIPAA be Waived?” theme=”style3″]

Gene Fry is the compliance officer and vice president of technology at Scrypt. He joined Scrypt in October 2001 and has 25 years of IT experience, working in industries such as healthcare and for companies based in the U.S. and Latin America. He is a Certified HIPAA professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security by the American Health Information Management Association and as an Electronic Health Record Specialist Certification (CEHRS) through the National Health Career Association, and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers.


  1. Gene, another aspect of waiver – an article I’m working on – is providers who make the patient sign a ‘contract’ wherein the patient waives a HIPAA right. e.g., psychologists who perform an evaluation for a 3rd parties, and want to prevent the patient from obtaining a copy of the records.

  2. Mr. Frye, would you mind letting us know where the exceptions are notated in the actual HIPAA law?

    I read many references to this exception – even on the NAMI & HHS site – it is not clear where this is cited, however it is mentioned in numerous websites as an allowable exception per the providers decretion if the patient is deemed not capable of making decisions for their own healthcare.

    I’m sure that many families of schizophrenic/schizoaffective/bipolar disorder adult patient can use the specific citation regarding this exception to officially notice providers that this is an allowable override to a patient’s non-consent. It is very frustrating for family members, who have a wealth of healthcare information on the related patient, to be shut out of the treatment services due to a misunderstanding of HIPAA laws, especially when their loved one is in crisis repeatedly, suicidal, and sometimes hostile due to delusions.

    I found an NPR Article that said it best what the families of mentally ill patients go through: When someone has cancer, you can make the assumption that their brain is working normally so that they can make an informed decision as to whether or not they want their loved ones to know exactly what the details of the cancer is. You can’t make that assumption about people with schizophrenia or bipolar disorder.

    This may be an appropriate reason for providers to assess capable decision making on the patients part, and open the door to family members who have a stake in the well-being of their family member who is mentally ill with valuable treatment contributions.

    Providers are trained to have “canned” HIPAA responses and in most cases, shut down family members at the gate. Families can request an override by the primary service provider, but it helps if they can cite the actual law/standard when seeking to be informed/involved, thus include this in their requests for an override.

    Thanks, Dianne Brewer OKC

  3. Hi! I’m a client with Asperger’s and a stroke survivor who had to relearn to talk after pretty total aphasia.

    My social worker’s supervisor has told her that she may not communicate with me in email, only by phone.

    I am a computer security professional, retired. I can tell you many ways a cell phone conversation could be made insecure unless it is made with an encrypted VOIP client. But unless I use an encrypted email client (and email can not be secured by any means) I can’t communicate with her in text, and there’s not a “secure” compliant email system available.

    I have told her it’s a reasonable accommodation and I am willing to sign a waiver or MOU saying I understand these communications can’t be guaranteed private.

    In my career I was not only the manager of IT for research radiology at a major teaching hospital, but the founding executive director of The Tor Project. I was once acclaimed as one of the top 20 privacy advocates in the world.

    But privacy is never absolute and should serve the informed consent of the individual.

    How can this thorny law and the ADA both live in harmony?

  4. Suppose I have a serious illness. I then consent for my doctor to release that fact to the public. In a statement, signed by the doctor, he mentions that he is releasing my information with my full consent. Have I waived my rights under HIPAA for a third party to request the details of my ailment: When did I contract the illness? Am I in remission? Am I still contagious? Etc.

Comments are closed.