The HHS Office for Civil Rights (OCR) has clarified how it expects healthcare providers to comply with HIPAA when they need to share patient information on opioid overdoses: Providers can share protected health information (PHI) in limited ways during overdoses.

There has been some confusion about how to comply with HIPAA during emergencies, such as drug overdoses and natural disasters, OCR notes. Healthcare providers have been confused about whether the law allows them to disclose necessary information to family members or caregivers when the patient is experiencing an opioid emergency.

OCR makes clear in recent guidance that providers can use common sense in these situations because HIPAA was never intended to interfere with proper medical care. In some situations PHI can be shared without the patient’s permission if that is in the patient’s best interest, the guidance explains. (The OCR guidance is available online at

OCR includes the caveat that the sharing must be limited to what is necessary related to the immediate emergency. It is not OK to open the door completely and share other PHI.

OCR cites two examples in which healthcare providers can share limited PHI without the patient’s permission during a drug overdose.

PHI may be shared with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interests of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment of care. “For example, a provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.”

The healthcare provider may inform persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety. “For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.”

However, the OCR guidance notes that patients with decision-making capacity must be given the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care. The provider must respect a patient’s decision not to share PHI unless there is a serious and imminent threat to safety.

OCR also points out that a patient’s decision-making capacity may change during the course of treatment, and the provider must adjust accordingly.