Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) permits covered entities to share with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care. In addition, HIPAA allows a covered entity to disclose information about a patient as necessary to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death. In either circumstance, the person can be a patient’s family member, relative, guardian, caregiver, friend, spouse, or partner. The Privacy Rule defers to a covered entity’s professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient’s care or payment for care.
HIPAA permits a covered entity to share PHI with anyone from the list of potential recipients, subject to the conditions included at 45 CFR 164.510(b) and described below. Moreover, the list of potential recipients of PHI under 45 CFR 164.510(b) is in no way limited or impacted by the sex or gender identity of either the patient or the potential recipient.
When making disclosures to the persons listed under 45 CFR 164.510(b), a covered entity should get verbal permission from the patient when possible, or otherwise be able to reasonably infer that the patient does not object to the disclosure, before disclosing information to these persons. If the patient is incapacitated or not available, a covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest. Finally, if the individual is deceased, a covered entity may share information with a person who was involved in the individual’s care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
In contrast to the permitted disclosures described above, there are circumstances in which a covered entity is required to disclose information to a family member or other person involved in an individual’s care. Specifically, in some cases, a spouse, partner, or other person involved in a patient’s care will be the patient’s personal representative and thus generally have the authority to exercise the patient’s rights under the HIPAA Privacy Rule on the patient’s behalf, such as the right to access medical and other health records as provided at 45 CFR 164.524(a). A covered entity must treat all personal representatives as the individual for purposes of the Privacy Rule, in accordance with 45 CFR 164.502(g). This means a covered entity may not deny a personal representative, as defined in 45 CFR 164.502(g), the rights afforded to the personal representative under 45 CFR 164.502(g) of the Privacy Rule for any reason, including because of the sex or gender identity of the personal representative. For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives under 45 CFR 164.502(g), the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records. In this example, a covered entity that does not provide a patient’s lawful spouse with access because of the sex of the spouses would be in violation of the Privacy Rule. Similarly, if a person has been granted a legal health care power of attorney for an individual that grants the person the authority to make health care decisions for the individual in a state, that person satisfies the definition of personal representative and a covered entity in that state that denies the person personal representative status because of the gender identity of the person would be in violation of the Privacy Rule.