Natali_Mis/istock via Getty Imag
Communicating With a Patient’s Family Under the HIPAA Privacy Rule
Providers must ensure that they are following the HIPAA Privacy Rule when choosing to disclose a patient’s protected health information with the patient’s family and friends.
When disclosing protected health information (PHI) to a provider at a HIPAA-covered entity, patients likely want to ensure that their information is not being shared with everyone in the hospital waiting room. But they may want to keep their loved ones updated on their condition, even if they are unable to do so themselves.
That’s where providers come in, assuming their duty to communicate with a patient’s family and friends on behalf of the patient in a HIPAA-compliant manner.
The HIPAA Privacy Rule, enacted in 1996, encompasses a wide range of privacy protections for patients seeking care from covered entities across the US. This includes guidelines on how and when to properly disclose PHI to a patient’s family and friends.
“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being,” the HHS website states.
“The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”
When it comes to sharing information with a patient’s family or others involved in their care, providers must keep HIPAA at the forefront of disclosure decisions.
The HIPAA Privacy Rule states that a covered entity may “disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's health care or payment related to the individual's health care.”
But there are specific guidelines for when and how these disclosures can happen, as explained in a guidance document by the HHS Office for Civil Rights (OCR).
For example, if a patient is present and has the capacity to make healthcare decisions for themselves, a provider can discuss the patient’s health information with a family member or friend if the patient gives consent or does not object.
“An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room,” OCR explained. “A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges.”
Additionally, a doctor may discuss the medications a patient needs to take with the patient’s health aide, and can discuss mobility limitations with a patient’s relative who is driving them home from the hospital.
In other instances, a patient may not be present or may be incapacitated, making the process of disclosing information to the patient’s family more challenging.
“If the patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient,” OCR noted.
“When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care. The health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment.”
For example, a surgeon may tell a patient’s spouse about the patient’s condition while the patient is unconscious. However, a doctor cannot tell a patient’s friend about a past medical condition that is unrelated to the patient’s current condition.
Other nuances to the HIPAA Privacy Rule allow a provider to share a patient’s health information with an interpreter to communicate with the patient’s family. Additionally, a patient’s friend or relative can pick up a prescription, medical supplies, or X-rays without the patient having provided the person’s name to the provider in advance.
In many instances, providers must use their best judgment and knowledge of HIPAA requirements before choosing to disclose a patient’s information. For example, HIPAA does not require that a relative or friend provide proof of identity over the phone when inquiring about a patient’s condition.
“However, a health care provider may establish his or her own rules for verifying who is on the phone,” OCR noted. “In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.”
HHS maintains a webpage on frequently asked questions regarding disclosures to family and friends, which can help providers better navigate these disclosures. Using good judgment and keeping the patient’s privacy top-of-mind can help providers ensure compliance with HIPAA.
Dig Deeper on HIPAA compliance and regulation
-
HHS imposes $100K penalty on NJ facility over HIPAA right of access violations
-
OCR Settles Multiple HIPAA Right of Access Complaints With Optum Medical Care
-
OCR Publishes Resources On Telehealth Privacy, Security Risks
-
Senators Introduce Bill to Bolster HIPAA Protections For Patients Seeking Reproductive Healthcare