HIPAA FAQ – Facility Directories
Yes, the HIPAA Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual’s name; location in the facility; health condition expressed in general terms; and religious affiliation.
The facility may disclose this directory information to members of the clergy. Thus, for example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure. Directory information, except for religious affiliation, may be disclosed only to other persons who ask for the individual by name. When, due to emergency circumstances or incapacity, the patient has not been provided an opportunity to agree or object to being included in the facility’s directory, these disclosures may still occur, if such disclosure is consistent with any known prior expressed preference of the individual and the disclosure is in the individual’s best interest as determined in the professional judgment of the provider. See 45 CFR 164.510(a).
Yes. The phone number of the patient’s room in the facility may be released as part of the directory information about the patient’s location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”
Yes. The fact that a patient has been “treated and released,” or that a patient has died, may be released as part of the directory information about the patient’s general condition and location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”
Yes. The Privacy Rule permits covered entities to maintain more than one type of patient directory, and to maintain multiple versions of them, provided that the other requirements at 45 CFR 164.510(a) – PDF also are followed. For instance, emergency rooms that maintain directory information, even though separate from, or in a form different than, the hospital directory of admitted patients, may still disclose the information consistent with the requirements of the Privacy Rule. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”
Yes. Covered hospitals and other covered health care providers can use a facility directory to inform visitors or callers about a patient’s location in the facility and general condition. The Privacy Rule permits a covered hospital or other covered health care provider to maintain in a directory certain information about patients – patient name, location in the facility, health condition expressed in general terms that does not communicate specific medical information about the individual, and religious affiliation. The patient must be informed about the information to be included in the directory, and to whom the information may be released, and must have the opportunity to restrict the information or to whom it is disclosed, or opt out of being included in the directory. The patient may be informed, and make his or her preferences known, orally or in writing. The facility may provide the appropriate directory information – except for religious affiliation – to anyone who asks for the patient by name. Religious affiliation may be disclosed to members of the clergy, who are given additional access to directory information under the Rule. (See other FAQs at this site by searching on the term “clergy”.)
Even when, due to emergency treatment circumstances or incapacity, the patient has not been provided an opportunity to express his or her preference about how, or if, the information may be disclosed, directory information about the patient may still be made available if doing so is in the individual’s best interest as determined in the professional judgment of the provider, and would not be inconsistent with any known preference previously expressed by the individual. In these cases, as soon as practicable, the covered health care provider must inform the patient about the directory and provide the patient an opportunity to express his or her preference about how, or if, the information may be disclosed. See 45 CFR 164.510(a).
Providers and health plans covered by the HIPAA Privacy Rule can share patient information in all of the following ways:
TREATMENT: Health care providers can share patient information as necessary to provide treatment.
Treatment includes:
- sharing information with other providers (including hospitals and clinics),
- referring patients for treatment (including linking patients with available providers in areas where the patients have relocated), and
- coordinating patient care with others (such as emergency relief workers or others that can help in finding patients appropriate health services).
Providers can also share patient information to the extent necessary to seek payment for these health care services.
NOTIFICATION: Health care providers can share patient information as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the individual’s care of the individual’s location, general condition, or death.
The health care provider should get verbal permission from individuals, when possible; but if the individual is incapacitated or not available, providers may share information for these purposes if, in their professional judgement, doing so is in the patient’s best interest.
- Thus, when necessary, the hospital may notify the police, the press, or the public at large to the extent necessary to help locate, identify, or otherwise notify family members and others as to the location and general condition of their loved ones.
- In addition, when a health care provider is sharing information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, it is unnecessary to obtain a patient’s permission to share the information if doing so would interfere with the organization’s ability to respond to the emergency.
IMMINENT DANGER: Providers can share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public — consistent with applicable law and the provider’s standards of ethical conduct.
FACILITY DIRECTORY: Health care facilities maintaining a directory of patients can tell people who call or ask about individuals whether the individual is at the facility, their location in the facility, and general condition.
Of course, the HIPAA Privacy Rule does not apply to disclosures if they are not made by entities covered by the Privacy Rule. Thus, for instance, the HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information.
Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth below, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
A covered entity, including a health care provider, may not use or disclose protected health information (PHI), except either: (1) as the HIPAA Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. Generally, the HIPAA Privacy Rule does not permit health care providers to disclose PHI to media personnel, including film crews, without having previously obtained a HIPAA-compliant authorization signed by the patient or his or her personal representative. In other words, health care providers may not allow members of the media, including film crews, into treatment areas of their facilities or other areas where PHI will be accessible in written, electronic, oral or other visual or audio form, without prior authorization from the patients who are or will be in the area or whose PHI will be accessible to the media. It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.
In addition, the health care provider must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area but for which an authorization has not been obtained.
There are very limited situations in which the HIPAA Privacy Rule permits a covered entity to disclose limited PHI to the media without obtaining a HIPAA authorization. For example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. In that case, the covered entity may disclose limited PHI about the incapacitated patient to the media if, in the hospital’s professional judgment, doing so is in the patient’s best interest. See 45 CFR 164.510(b)(1)(ii). In addition, a covered entity may disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name. See 45 CFR 164.510(a).
The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility.
A health care provider may utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place. If patients are to be identified by the provider and interviewed by a film crew, or if PHI might be accessible during filming or otherwise disclosed, the provider must enter into a HIPAA business associate agreement with the film crew acting as a business associate. Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed. See 45 CFR 164.504(e)(2). As a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI. In addition, authorizations from patients whose PHI is included in any materials would be required before such materials are posted online, printed in brochures for the public, or otherwise publicly disseminated.
Finally, covered entities can continue to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the covered entity does not share PHI with the media without the prior authorization of the individuals who are the subject of the PHI.