HIPAA mandates the protection of patient health information (PHI), and while incapacitated patients may not be able to provide consent themselves, there are mechanisms to ensure their information remains secure.
The “best interest” standard
One of the guiding principles in these cases is the concept of "best interest." HIPAA regulations allow for sharing information with those close to the patient if it’s deemed necessary for the patient’s care. As a healthcare provider, you must assess the situation and determine whether the disclosure will support the patient’s well-being.
As the Centers for Medicare & Medicaid Services (CMS) emphasizes, HIPAA allows healthcare providers to "share information about an incapacitated patient if you believe it’s in your patient’s best interest," which enables healthcare providers to make informed decisions about when and how to share PHI in a way that maximizes care and minimizes harm.
Who can access an incapacitated patient’s health information?
When a patient becomes incapacitated, healthcare providers must know who can legally access their health information. Under HIPAA, the following individuals are typically authorized to receive or discuss a patient’s medical data:
- Legal guardians: If the patient has a legally appointed guardian, they can make healthcare decisions and access the patient’s health information.
- Medical power of attorney (POA) holders: A person holding a medical POA has the right to make decisions for the patient, including accessing their health records to ensure appropriate care.
- Family members or friends: In situations where the patient is incapacitated, healthcare providers may disclose information to family or close friends involved in the patient’s care. However, this is only permitted when the provider believes it’s in the best interest of the patient, and the patient has not objected to such disclosures when they were able to communicate.
See also: HIPAA Compliant Email: The Definitive Guide
Navigating emergencies
HIPAA provides flexibility in emergencies when a patient is incapacitated and no legal representative is immediately available. Providers can share health information necessary to prevent harm to the patient or others involved, even without prior consent. However, the disclosure should always be limited to what is necessary to address the emergency.
For instance, in an urgent care scenario, medical professionals may need to consult with family members or other individuals who are familiar with the patient’s medical history. HIPAA allows this, provided the information shared is related to the patient’s immediate health needs.
Learn more: Understanding permissible disclosures in an emergency
FAQs
How do I determine if sharing information is in the patient’s best interest?
Healthcare providers should consider factors like the patient’s immediate care needs, the role of the individual requesting the information, and whether the disclosure will improve the patient’s health or safety. When in doubt, consult with a compliance officer or legal counsel.
What documentation is required when sharing PHI for an incapacitated patient?
To maintain a record of HIPAA compliance, providers should document the following:
- The reason for the disclosure.
- Who the information was shared with.
- The specific information that was disclosed.
- Any legal or ethical justification for the decision.
Tshedimoso Makhene
