Healthcare providers sometimes mistakenly assume that they cannot contact a patient’s spouse, parents, or other third parties to obtain payment without the patient’s consent. However, HIPAA generally allows healthcare providers to use or disclose protected health information for purposes of obtaining payment without the patient’s consent or authorization unless the provider has agreed otherwise with the patient. (45 CFR §§164.506(a), (c) and 164.524(a)). The Office for Civil Rights (“OCR”) published the following FAQ discussing this rule:

Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?

Answer: Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made.

Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of “payment” at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522.

(https://www.hhs.gov/hipaa/for-professionals/faq/266/does-the-privacy-rule-permit-a-covered-entity-to-communicate-with-other-parties-regarding-a-bill/index.html). Other HIPAA exceptions allow disclosures to personal representatives (45 CFR § 164.502(g)) or to persons involved in the patient’s healthcare or payment for the patient’s healthcare if certain conditions are satisfied. (45 CFR § 164.510).

Providers should review their patient intake documents, notice of privacy practices, and other patient documents to ensure that they have not unwittingly limited their ability to use patient information by agreeing with the patient not to make such disclosures without the patient’s consent or authorization. (See 45 CFR § 164.522(a)).