Federal and State Guidance on HIPAA Privacy for Same-Sex Spouses

HHS’ Office for Civil Rights (OCR) issued a statement providing HIPAA guidance for covered entities, stating that they should treat persons in same-sex marriages in the same manner they would treat persons in other marital relationships.

OCR’s statement follows the U.S. Supreme Court decision in U.S. v. Windsor that held Section Three of the Defense of Marriage Act unconstitutional. In Windsor, the U.S. Supreme Court held that “covered entities must consider the following law regarding lawfully married same-sex spouses and same-sex marriage,”

in which the U.S. Supreme Court continued by addressing HIPAA and affirming that covered entities would be permitted to share an individual’s health information with a family member and under certain circumstances.

OCR is expected to release more information in the upcoming months, which will officially amend the HIPAA privacy rule to include same-sex marriage provisions.

HIPAA Audits As an Enforcement Tool

OCR has announced that HIPAA audits are coming and are planned as an “enforcement tool.” The anticipated audits will include covered entities and their business associates. The goal of the compliance program is to launch investigations into whether health care organizations and their contractors are complying with the privacy and security rules set forth to protect patient health care data.

After a round of pilot audits in 2012, the OCR previously said it was planning to begin a permanent audit program in 2014. The audits are resource reliant and the OCR continues to request more staffing from Congress. There has been no announcement of a start date for the audits.

Business Associate Agreements Must Be Updated

The Department of Health and Human Services (HHS) published its new provisions of HIPAA regulation and final rule for business associate agreements. The final rule increased the privacy and security responsibilities for “business associates.”

All agreements that were in compliance with the HIPAA privacy rule before January 25, 2013, were considered grandfathered until September 23, 2014. Therefore, all provider business associate agreements should be updated now.