health-care-bulletin copy

HHS Guidance on Same-sex Marriage and HIPAA Privacy Compliance

The guidance states that the terms, “spouse,” “marriage” and “family member” apply to individuals who are legally married, whether or not they live in a jurisdiction that recognizes their marriage

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance in September 2014 regarding the HIPAA Privacy Rule. This guidance explains how the 2013 Supreme Court decision regarding the Defense of Marriage Act (DOMA) affects certain provisions under the HIPAA Privacy Rule.

The HIPAA Privacy Rule contains provisions that recognize the role that family members, such as spouses, can play in patients’ health care. For example, the HIPAA Privacy Rule allows covered entities to share information about patients’ care with family members in various circumstances.

In addition, the HIPAA Privacy Rule provides protections against the use of genetic information about an individual, which includes certain information about family members of the individual, for underwriting purposes.

The recent OCR guidance clarifies that, under the privacy rule, the term:

  • “Spouse” includes both same-sex and opposite-sex individuals who are legally married
  • “Marriage” includes both same-sex and opposite-sex marriages
  • “Family member” includes dependents of those marriages

The guidance states that all of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.

Background

In United States v. Windsor, the Supreme Court held Section 3 of DOMA to be unconstitutional. Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages.

The HIPAA Privacy Rule includes the terms “spouse” and “marriage” in the definition of “family member.” Consistent with the Windsor decision, the term “spouse” includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory or foreign jurisdiction (as long as a U.S. jurisdiction would also recognize the marriage).

The term “marriage” includes both same-sex and opposite-sex marriages, and “family member” includes dependents of those marriages. All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.

Affected HIPAA Privacy Rule Provisions

Covered entities and business associates must consider this guidance regarding their uses and disclosures of protected health information:

Uses and disclosures for involvement in the individual’s care and notification purposes 

Under certain circumstances, covered entities are permitted to share an individual’s protected health information with a family member of the individual.

According to the OCR guidance, legally married same-sex spouses, regardless of where they live, are family members for these purposes.

Use and disclosure of genetic information for underwriting purposes

The Privacy Rule prohibits health plans, other than issuers of long-term care policies, from using or disclosing genetic information for underwriting purposes. For example, these plans may not use information regarding the genetic tests of a family member of the individual, or the manifestation of a disease or disorder in a family member of the individual, in making underwriting decisions about the individual. This includes the genetic tests of a same-sex spouse of the individual, or the manifestation of a disease or disorder in the same-sex spouse of the individual.

Future Guidance

OCR intends to issue additional clarifications through guidance or to initiate rulemaking to address same-sex spouses as personal representatives under the privacy rule.

Download the PDF version: HHS Guidance on Same-sex Marriage and HIPAA Privacy Compliance 102314