When the U.S. Supreme Court decided United States v. Windsor, it declared section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional. For many companies, the decision meant changes to certain of their employee benefit plans, as well as the tax treatment of employee contributions for same sex spouses. However, declaring section 3 of DOMA unconstitutional reached well beyond ERISA-covered benefit plans, changing the applciation of many federal laws, including the HIPAA Privacy Rule. Today, the Office for Civil Rights (OCR) provided guidance concerning Windsor’s application to the HIPAA Privacy Rule.
Under the HIPAA Privacy Rule, covered entities can share information about a patient’s care with the patient’s family members in various circumstances – those family members include spouses. In addition, the Privacy Rule provides protections against the use of genetic information about an individual. Genetic information includes certain information about family members (including, spouses) of the individual.
Based on the holding in Windsor, when the Privacy Rule uses the terms “spouse” and “marriage,” such as at 45 CFR 160.103 (definition of family member), lawful same-sex spouses have to be included. More specifically, the term “spouse” includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as, as to marriages performed in a foreign jurisdiction, a U.S. jurisdiction would also recognize the marriage). The term “marriage” includes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages. All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.
The OCR guidance clarifies, for example, that in connection with the standard concerning uses and disclosures to those involved in an individual’s care (45 CFR §164.510(b)), in cases where covered entities are permitted to share an individual’s protected health information with a family member of the individual, family member includes legally married same-sex spouses, regardless of where they live.
Covered entities and business associates should review their practices and alert their workforce members of this development. OCR intends to issue additional clarifications through guidance or rulemaking to address same-sex spouses as personal representatives under the Privacy Rule.