Healthcare providers often question whether they may disclose protected health information to family members or other persons involved in the patient’s care or payment for their care. The HIPAA Privacy Rules generally allow such disclosures under the following circumstances:
- Disclosures to family members and others involved in the patient’s healthcare. HIPAA allows providers to disclose information to family members and others involved in the patient’s healthcare or payment for their care in certain circumstances. If the patient is present and able to make decisions, the provider must (i) obtain the patient’s permission or (ii) reasonably infer from the circumstances that the patient does not object to the disclosure. (45 CFR 64.510(b)(2)). If the patient is not present or is unable to consent, the provider may disclose the information so long as: (i) the provider believes it is in the patient’s best interest to make the disclosure; (ii) the patient has not otherwise objected to such disclosures; and (iii) the provider limits the information disclosed to that which is relevant to the family member or other person’s involvement in the patient’s healthcare. (Id. at 164.510(b)(3)). For example, if the patient does not object, a physician may talk with the friend who accompanies the patient to the hospital or with a family member who pays the patient’s medical bill. Similarly, a pharmacy may disclose information to a friend whom the patient sends to pick up a prescription, unless the patient has objected to such disclosures.
- Disclosures to the personal representative. HIPAA allows healthcare providers to disclose protected health information to the patient’s personal representative; indeed, a personal representative generally has the right to access a patient’s personal health information to the same extent as a patient. (45 CFR 164.502(a)(2)(i) and (g)). For purposes of HIPAA, a “personal representative” is the person with authority under applicable state law to make healthcare decisions for the patient, e.g., the parent of an unemancipated minor; the spouse of an incapacitated adult; etc. (Id. at 164.502(g)). In the case of deceased persons, the “personal representative” is the executor, administrator, or other person authorized to act on behalf of the deceased person or their estate. (Id. at 164.502(g)(4)). There are limited exceptions that allow a provider to decline to disclose information to a personal representative, e.g., if the provider believes that doing so would endanger the individual. (Id. at 164.502(g)(5)).
- Disclosures for treatment, payment or certain healthcare operations. HIPAA allows healthcare providers to use or disclose protected health information without the patient’s authorization for purposes of treating a patient or obtaining payment, or for certain healthcare operations of the covered entity. (45 CFR 164.506). For example, a provider may need to disclose limited information to ensure a patient is cared for at home, or an appropriate medical history is obtained. There are limitations, however. First, a provider may not make such disclosures if it has agreed otherwise with the patient, e.g., the provider told the patient that it would only disclose information to those persons identified by the patient. (Id. at 164.522(a)). Providers should generally avoid making promises that would otherwise limit their ability to make disclosures otherwise allowed by HIPAA. Second, providers generally may not disclose psychotherapy notes without the patient’s written authorization. (Id. at 164.508). Third, providers may not disclose information if a more restrictive law prohibits disclosure, e.g., state or federal laws that apply to substance abuse programs.
- Disclosures for facility directories. If a facility maintains a directory of patients in the facility, HIPAA allows disclosures of the following information to those who ask for the patient by name unless the patient has objected to such disclosures: (i) the patient’s name; (ii) the patient’s location in the facility; and (iii) the patient’s condition described in general terms that does not communicate specific information about the patient. (45 CFR 164.510(a)).
- Disclosures to avert serious and imminent threat of harm. HIPAA allows disclosures that are necessary to prevent or lessen a serious and imminent threat of harm to a person or the public, provided that the disclosure is to a person who is reasonably able to prevent or lessen the threat. (45 CFR 164.512(j)).
- Disclosures required by law. HIPAA allows disclosures to the extent the disclosure is required by another law, provided that the disclosure is limited to the extent required by the other law. (45 CFR 164.512(a)). For example, if a law requires disclosure to parents, the provider may make disclosures as required by the law.
- Disclosures with the patient’s written authorization. Unless the disclosure fits within one of the preceding rules or another HIPAA exception, the provider generally must have the patient’s written, HIPAA-compliant authorization to make the disclosure. (45 CFR 164.508).
Even if the disclosure is allowed, the provider must generally limit the amount of information disclosed to the minimum necessary to accomplish the purpose of the disclosure. (See 45 CFR 164.514(d)). In addition, if the provider does not know the family member or other person, the provider must take reasonable steps to verify the identity and authority of the person to obtain the information. (Id. at 164.514(h)).
The Office for Civil Rights has published a helpful guide, “Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care”, which is available at this link: http://www.hhs.gov/sites/default/files/provider_ffg.pdf.