HIPAA FAQ – Disclosures to Family and Friends2020-09-08T13:30:16-04:00

HIPAA FAQ – Disclosures to Family and Friends

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with a person who is not married to the patient or is otherwise not recognized as a relative of the patient under applicable law (e.g., state law)?2020-09-10T20:17:20-04:00

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) permits covered entities to share with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care. In addition, HIPAA allows a covered entity to disclose information about a patient as necessary to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death. In either circumstance, the person can be a patient’s family member, relative, guardian, caregiver, friend, spouse, or partner. The Privacy Rule defers to a covered entity’s professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient’s care or payment for care.

HIPAA permits a covered entity to share PHI with anyone from the list of potential recipients, subject to the conditions included at 45 CFR 164.510(b) and described below. Moreover, the list of potential recipients of PHI under 45 CFR 164.510(b) is in no way limited or impacted by the sex or gender identity of either the patient or the potential recipient.

When making disclosures to the persons listed under 45 CFR 164.510(b), a covered entity should get verbal permission from the patient when possible, or otherwise be able to reasonably infer that the patient does not object to the disclosure, before disclosing information to these persons. If the patient is incapacitated or not available, a covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest. Finally, if the individual is deceased, a covered entity may share information with a person who was involved in the individual’s care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

In contrast to the permitted disclosures described above, there are circumstances in which a covered entity is required to disclose information to a family member or other person involved in an individual’s care. Specifically, in some cases, a spouse, partner, or other person involved in a patient’s care will be the patient’s personal representative and thus generally have the authority to exercise the patient’s rights under the HIPAA Privacy Rule on the patient’s behalf, such as the right to access medical and other health records as provided at 45 CFR 164.524(a). A covered entity must treat all personal representatives as the individual for purposes of the Privacy Rule, in accordance with 45 CFR 164.502(g). This means a covered entity may not deny a personal representative, as defined in 45 CFR 164.502(g), the rights afforded to the personal representative under 45 CFR 164.502(g) of the Privacy Rule for any reason, including because of the sex or gender identity of the personal representative. For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives under 45 CFR 164.502(g), the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records. In this example, a covered entity that does not provide a patient’s lawful spouse with access because of the sex of the spouses would be in violation of the Privacy Rule. Similarly, if a person has been granted a legal health care power of attorney for an individual that grants the person the authority to make health care decisions for the individual in a state, that person satisfies the definition of personal representative and a covered entity in that state that denies the person personal representative status because of the gender identity of the person would be in violation of the Privacy Rule.

For more information about HIPAA and Marriage, see http://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html. More general information about when HIPAA permits disclosures to family members, friends, and others involved in a patient’s care or payment for care is available at http://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html (for individuals) and at http://www.hhs.gov/sites/default/files/provider_ffg.pdf – PDF.

May a health plan disclose protected health information to a person who calls the plan on the beneficiary’s behalf?2020-09-10T20:17:20-04:00

Yes, subject to the conditions set forth in 45 CFR 164.510(b) of the HIPAA Privacy Rule. The Privacy Rule at 45 CFR 164.510(b) permits a health plan (or other covered entity) to disclose to a family member, relative, or close personal friend of the individual, the protected health information (PHI) directly relevant to that person’s involvement with the individual’s care or payment for care. A covered entity also may make these disclosures to persons who are not family members, relatives, or close personal friends of the individual, provided the covered entity has reasonable assurance that the person has been identified by the individual as being involved in his or her care or payment.

A covered entity only may disclose the relevant PHI to these persons if the individual does not object or the covered entity can reasonably infer from the circumstances that the individual does not object to the disclosure; however, when the individual is not present or is incapacitated, the covered entity can make the disclosure if, in the exercise of professional judgment, it believes the disclosure is in the best interests of the individual.

For example:

  • A health plan may disclose relevant PHI to a beneficiary’s daughter who has called to assist her hospitalized, elderly mother in resolving a claims or other payment issue.
  • A health plan may disclose relevant PHI to a human resources representative who has called the plan with the beneficiary also on the line, or who could turn the phone over to the beneficiary, who could then confirm for the plan that the representative calling is assisting the beneficiary.
  • A health plan may disclose relevant PHI to a Congressional office or staffer that has faxed to the plan a letter or e-mail it received from the beneficiary requesting intervention with respect to a health care claim, which assures the plan that the beneficiary has requested the Congressional office’s assistance.
  • A Medicare Part D plan may disclose relevant PHI to a staff person with the Centers for Medicare and Medicaid Services (CMS) who contacts the plan to assist an individual regarding the Part D benefit, if the information offered by the CMS staff person about the individual and the individual’s concerns is sufficient to reasonably satisfy the plan that the individual has requested the CMS staff person’s assistance.
May a health care provider share a patient’s health information with an interpreter to communicate with the patient or with the patient’s family, friends, or others involved in the patient’s care or payment for care?2020-09-08T18:30:40-04:00

Yes. HIPAA allows covered health care providers to share a patient’s health information with an interpreter without the patient’s written authorization under the following circumstances:

  • A health care provider may share information with an interpreter who works for the provider (e.g., a bilingual employee, a contract interpreter on staff, or a volunteer).

For example, an emergency room doctor may share information about an incapacitated patient’s condition with an interpreter on staff who relays the information to the patient’s family.

  • A health care provider may share information with an interpreter who is acting on its behalf (but is not a member of the provider’s workforce) if the health care provider has a written contract or other agreement with the interpreter that meets HIPAA’s business associate contract requirements.

For example, many providers are required under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to persons with limited English proficiency. These providers often have contracts with private companies, community-based organizations, or telephone interpreter service lines to provide language interpreter services. These arrangements must comply with the HIPAA business associate agreement requirements at 45 CFR 164.504(e).

  • A health care provider may share information with an interpreter who is the patient’s family member, friend, or other person identified by the patient as his or her interpreter, if the patient agrees, or does not object, or the health care provider determines, using his or her professional judgment, that the patient does not object.

For example, health care providers sometimes see patients who speak a certain language and the provider has no employee, volunteer, or contractor who can competently interpret that language. If the provider is aware of a telephone interpreter service that can help, the provider may have that interpreter tell the patient that the service is available. If the provider decides, based on professional judgment, that the patient has chosen to continue using the interpreter, the provider may talk to the patient using the interpreter.

Can a patient have a family member, friend, or other person pick up a filled prescription, medical supplies, x-rays, or other similar forms of patient information, for the patient?2020-09-07T11:46:47-04:00

Yes. HIPAA allows health care providers to use professional judgment and experience to decide if it is in the patient’s best interest to allow another person to pick up a prescription, medical supplies, X-rays, or other similar forms of information for the patient.

For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for a patient effectively verifies that he or she is involved in the patient’s care. HIPAA allows the pharmacist to give the filled prescription to the relative or friend. The patient does not need to provide the pharmacist with their names in advance.

If a patient’s family member, friend, or other person involved in the patient’s care or payment for care calls a health care provider to ask about the patient’s condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?2020-09-07T11:46:25-04:00

No. If the caller states that he or she is a family member or friend of the patient, or is involved in the patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case. However, a health care provider may establish his or her own rules for verifying who is on the phone. In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.

May a health care provider discuss a patient’s health information over the phone with the patient’s family, friends, or others involved in the patient’s care or payment for care?2020-09-07T11:46:01-04:00

Yes. Where a health care provider is allowed to share a patient’s health information with a person, information may be shared face-to-face, over the phone, or in writing.

Does HIPAA require that a health care provider document a patient’s decision to allow the provider to share his or her health information with a family member, friend, or other person involved in the patient’s care or payment for care?2020-09-07T11:45:24-04:00

No. HIPAA does not require that a health care provider document the patient’s agreement or lack of objection. However, a health care provider is free to obtain or document the patient’s agreement, or lack of objection, in writing, if he or she prefers. For example, a provider may choose to document a patient’s agreement to share information with a family member with a note in the patient’s medical file.

If the patient is not present or is incapacitated, may a health care provider still share the patient’s health information with family, friends, or others involved in the patient’s care or payment for care?2020-09-07T11:45:03-04:00

Yes. If the patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care. The health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment.

Here are some examples:

  • A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the patient’s condition while the patient is unconscious.
  • A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the prescription.
  • A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about charges to his mother’s account.
  • A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide who calls the provider with questions about the particular prescription.

BUT:

  • A nurse may not tell a patient’s friend about a past medical problem that is unrelated to the patient’s current condition.
  • A health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.
If the patient is present and has the capacity to make health care decisions, when does HIPAA allow a health care provider to discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care?2020-09-07T11:43:47-04:00

If the patient is present and has the capacity to make health care decisions, a health care provider may discuss the patient’s health information with a family member, friend, or other person if the patient agrees or, when given the opportunity, does not object. A health care provider also may share information with these persons if, using professional judgment, he or she decides that the patient does not object. In either case, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care.

Here are some examples:

  • An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room.
  • A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges.
  • A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has accompanied the patient to a medical appointment.
  • A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the patient home from the hospital.
  • A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is going to do so and the patient does not object.

BUT:

  • A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.
How can I help make sure my health care providers share my health information with my family, friends, or others involved in my care or payment for my care when I want them to?2020-09-07T11:42:21-04:00

Print a copy of A Patient’s Guide: When Health Care Providers May Communicate About You with Your Family, Friends, or Others Involved In Your Care – PDF and discuss it with your health care provider at your next appointment. You may also want to share this information with your family members, friends, or others involved in your care or payment for your care.

Can my health care provider discuss my health information with an interpreter?2020-09-07T11:41:30-04:00

Yes. HIPAA allows your health care provider to share your health information with an interpreter who works for the provider to help communicate with you or your family, friends, or others involved in your care. If the interpreter is someone who does not work for your health care provider, HIPAA also allows your provider to discuss your health information with the interpreter so long as you do not object.

Can I have another person pick up my prescription drugs, medical supplies, or x-rays?2020-09-07T11:41:10-04:00

Yes. HIPAA allows health care providers (such as pharmacists) to give prescription drugs, medical supplies, X-rays, and other health care items to a family member, friend, or other person you send to pick them up.

If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?2020-09-07T11:40:43-04:00

HIPAA does not require proof of identity in these cases. However, your health care provider may have his or her own rules for verifying who is on the phone. You may want to ask your provider about her or his rules.

Do I have to give my health care provider written permission to share or discuss my health information with my family members, friends, or others involved in my care or payment for my care?2020-09-07T11:40:21-04:00

HIPAA does not require that you give your health care provider written permission. However, your provider may prefer or require that you give written permission. You may want to ask about your provider’s requirements.

If I am unconscious or not around, can my health care provider still share or discuss my health information with my family, friends, or others involved in my care or payment for my care?2020-09-07T11:40:00-04:00

Yes. If you are not around or cannot give permission, your health care provider may share or discuss your health information with family, friends, or others involved in your care or payment for your care if he or she believes, in his or her professional judgment, that it is in your best interest. When someone other than a friend or family member is asking about you, your health care provider must be reasonably sure that you asked the person to be involved in your care or payment for your care. Your health care provider may share your information face to face, over the phone, or in writing, but may only share the information that the family member, friend, or other person needs to know about your care or payment for your care.

Here are some examples:

  • A surgeon who did emergency surgery on you may tell your spouse about your condition, either in person or by phone, while you are unconscious.
  • A pharmacist may give your prescription to a friend you send to pick it up.
  • A doctor may discuss your drugs with your caregiver who calls your doctor with a question about the right dosage.

BUT:

  • A nurse may not tell your friend about a past medical problem that is unrelated to your current condition.
If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?2020-09-07T11:38:14-04:00

Yes. As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care. Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object. In any of these cases, your health care provider may discuss only the information that the person involved needs to know about your care or payment for your care.

Here are some examples:

  • An emergency room doctor may discuss your treatment in front of your friend when you ask that your friend come into the treatment room.
  • Your hospital may discuss your bill with your daughter who is with you at the hospital and has questions about the charges.
  • Your doctor may talk to your sister who is driving you home from the hospital about your keeping your foot raised during the ride home.
  • Your doctor may discuss the drugs you need to take with your health aide who has come with you to your appointment.
  • Your nurse may tell you that he or she is going to tell your brother how you are doing, and then your nurse may discuss your health status with your brother if you did not say that he or she should not.

BUT:

  • Your nurse may not discuss your condition with your brother if you tell your nurse not to.
Under the HIPAA Privacy Rule, may a health care provider disclose protected health information about an individual to another provider, when such information is requested for the treatment of a family member of the individual?2020-09-10T20:07:46-04:00

Yes. The HIPAA Privacy Rule permits a covered health care provider to use or disclose protected health information for treatment purposes. While in most cases, the treatment will be provided to the individual, the HIPAA Privacy Rule does allow the information to be used or disclosed for the treatment of others. Thus, the Rule does permit a doctor to disclose protected health information about a patient to another health care provider for the purpose of treating another patient (e.g., to assist the other health care provider with treating a family member of the doctor’s patient). For example, an individual’s doctor can provide information to the doctor of the individual’s family member about the individual’s adverse reactions to anesthetics prior to the family member undergoing surgery. These uses and disclosures are permitted without the individual’s written authorization or other agreement with the exception of disclosures of psychotherapy notes, which requires the written authorization of the individual.

However, the HIPAA Privacy Rule permits but does not require a covered health care provider to disclose the requested protected health information. Thus, the doctor with the protected health information may decline to share the information even if the Rule would allow it. The HIPAA Privacy Rule may also impose other limitations on these disclosures. Under 45 CFR § 164.522, individuals have the right to request additional restrictions on the use or disclosure of protected health information for treatment, payment, or health care operations purposes. If the health care provider has agreed to the requested restriction, then the doctor is bound by that agreement and (except in emergency treatment situations) would not be permitted to share the information. However, the health care provider maintaining the records does not have to agree to the requested restriction. For example, an individual who has obtained a genetic test may request that the health care provider not use or disclose the test results. If the health care provider agrees to the restriction, the information could not be shared with providers treating other family members who are seeking to identify their own genetic health risks.

May a doctor or hospital disclose protected health information to a person or entity that can assist in notifying a patient’s family member of the patient’s location and health condition?2020-09-09T00:05:18-04:00

Yes. The HIPAA Privacy Rule permits a covered doctor or hospital to disclose protected health information to a person or entity that will assist in notifying a patient’s family member of the patient’s location, general condition, or death. See 45 CFR 164.510(b)(1)(ii). The patient’s written authorization is not required to make disclosures to notify, identify, or locate the patient’s family members, his or her personal representatives, or other persons responsible for the patient’s care. Rather, where the patient is present, or is otherwise available prior to the disclosure, and has capacity to make health care decisions, the covered entity may disclose protected health information for notification purposes if the patient agrees or, when given the opportunity, does not object. The covered entity may also make the disclosure if it can reasonably infer from the circumstances, based on professional judgment, that the patient does not object. See 45 CFR 164.510(b)(2).

Even when the patient is not present or it is impracticable because of emergency or incapacity to ask the patient about notifying someone, a covered entity can still disclose a patient’s location, general condition, or death for notification purposes when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b)(3).

Under these circumstances, for example:

A doctor may share information about a patient’s condition with the American Red Cross for the Red Cross to provide emergency communications services for members of the U.S. military, such as notifying service members of family illness or death, including verifying such illnesses for emergency leave requests.

  • A hospital may ask police to help locate and communicate with the family of an individual killed or injured in an accident.
  • A hospital may contact a patient’s employer for information to assist in locating the patient’s spouse so that he/she may be notified about the hospitalization of the patient.
Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?2020-09-09T00:05:18-04:00

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

  • A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
  • A hospital may discuss a patient’s payment options with her adult daughter.
  • A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
  • A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

  • A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
  • A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.

In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.

May a hospital or other covered entity notify a patient’s family member or other person that the patient is at their facility?2020-09-09T00:05:18-04:00

Yes. The HIPAA Privacy Rule, at 45 CFR 164.510(b), permits covered entities to notify, or assist in the notification of, family members, personal representatives, or other persons responsible for the care of the patient, of the patient’s location, general condition, or death. Where the patient is present, or is otherwise available prior to the disclosure, and has capacity to make health care decisions, the covered entity may notify family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also use or disclose this information to notify the family and these other persons if it can reasonably infer from the circumstances, based on professional judgment, that the patient does not object. Under these circumstances, for example:

A doctor may call a patient’s wife to tell her that her husband was in a car accident and is being treated in the emergency room for minor injuries.
A doctor may contact a pregnant patient’s husband to let him know that his wife arrived at the hospital in labor and is about to give birth.
A nurse may contact the patient’s friend to let him know that his roommate broke his leg falling down the stairs, has had surgery, and is in recovery.
Even when the patient is not present or it is impracticable because of emergency or incapacity to ask the patient about notifying someone, a covered entity can still notify family and these other persons when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). For example, a doctor may, using such professional judgment, call the adult daughter of an incapacitated patient to inform her that her father suffered a stroke and is in the intensive care unit of a hospital.

Can the phone number of a patient’s room be released as part of the facility directory?2020-09-07T12:12:54-04:00

Yes. The phone number of the patient’s room in the facility may be released as part of the directory information about the patient’s location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”

Can the fact that a patient has been “treated and released,” or that a patient has died, be released as part of the facility directory?2020-09-07T14:36:57-04:00

Yes. The fact that a patient has been “treated and released,” or that a patient has died, may be released as part of the directory information about the patient’s general condition and location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”

Does the HIPAA Privacy Rule permit a hospital to inform callers or visitors of a patient’s location and general condition in the emergency room, even if the patient’s information would not normally be included in the main hospital directory of admitted patients?2020-09-07T12:12:10-04:00

Yes. The Privacy Rule permits covered entities to maintain more than one type of patient directory, and to maintain multiple versions of them, provided that the other requirements at 45 CFR 164.510(a) – PDF also are followed. For instance, emergency rooms that maintain directory information, even though separate from, or in a form different than, the hospital directory of admitted patients, may still disclose the information consistent with the requirements of the Privacy Rule. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”

Does the HIPAA Privacy Rule permit hospitals and other health care facilities to inform visitors or callers about a patient’s location in the facility and general condition?2020-09-07T12:11:12-04:00

Yes. Covered hospitals and other covered health care providers can use a facility directory to inform visitors or callers about a patient’s location in the facility and general condition. The Privacy Rule permits a covered hospital or other covered health care provider to maintain in a directory certain information about patients – patient name, location in the facility, health condition expressed in general terms that does not communicate specific medical information about the individual, and religious affiliation. The patient must be informed about the information to be included in the directory, and to whom the information may be released, and must have the opportunity to restrict the information or to whom it is disclosed, or opt out of being included in the directory. The patient may be informed, and make his or her preferences known, orally or in writing. The facility may provide the appropriate directory information – except for religious affiliation – to anyone who asks for the patient by name. Religious affiliation may be disclosed to members of the clergy, who are given additional access to directory information under the Rule. (See other FAQs at this site by searching on the term “clergy”.)

Even when, due to emergency treatment circumstances or incapacity, the patient has not been provided an opportunity to express his or her preference about how, or if, the information may be disclosed, directory information about the patient may still be made available if doing so is in the individual’s best interest as determined in the professional judgment of the provider, and would not be inconsistent with any known preference previously expressed by the individual. In these cases, as soon as practicable, the covered health care provider must inform the patient about the directory and provide the patient an opportunity to express his or her preference about how, or if, the information may be disclosed. See 45 CFR 164.510(a).

Can a patient have a friend or family member pick up a prescription for her?2020-09-10T21:06:22-04:00

Yes. A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription. See 45 CFR 164.510(b). For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual’s care, and the HIPAA Privacy Rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.

May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?2020-09-10T21:01:44-04:00

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

When a covered entity, such as a doctor, uses a certified Telecommunications Relay Service to contact patients with hearing or speech impairments, is the Relay Service a business associate of the doctor?2020-09-08T18:31:21-04:00

Under the Privacy Rule, a covered entity such as a doctor can contact a patient using a Telecommunications Relay Service (TRS), without the need for a business associate contract with the TRS. The sharing of protected health information between a covered health care provider and a patient through the TRS is permitted by the Privacy Rule under 45 CFR 164.510(b), and a business associate contract is not required in these circumstances.

By way of background, the TRS enables telephone communication for people with hearing or speech impairments by using a communications assistant (CA) who transliterates conversations. The TRS CA relays information, which may include protected health information, between a text telephone (also known as “TTY”) user and another person communicating via voice. The CA must communicate what is said by the parties without alteration. The Federal Communications Commission (FCC), pursuant to the Americans with Disabilities Act (ADA), certifies all State TRS programs, which in turn contract with one or more TRS providers. All TRS providers must comply with standards for operators established by the FCC pursuant to Title IV of the ADA, including protecting the privacy of all relayed communications. The TRS is a public service that is available without cost to all persons and businesses, none of whom need to employ, contract with or otherwise establish business relationships with the TRS. Thus, when performing these services, the TRS is not acting for or on behalf of the covered entity and is not the covered entity’s business associate.

As permitted by 45 CFR 164.510(b), protected health information can be shared during a telephone communication using the TRS because the individual will have an opportunity to agree or object to disclosures of protected health information to the CA. The following typical scenarios describe how this opportunity can be provided in the course of, or prior to, using the TRS:

  • Where the individual initiates the call through the TRS, it is reasonable for a covered health care provider to infer from these circumstances that the individual has identified the CA as involved in the individual’s care, and that the individual does not object to the disclosure. See 45 CFR 164.510(b)(2)(iii).
  • Where the need for use of the TRS becomes apparent prior to a call being placed, such as when, during an office visit, the individual gives the health care provider his or her TTY number, the opportunity to agree or object to the TRS can be provided at that time. See 45 CFR 164.510(b)(2).
  • Even where the covered health care provider initiates a call using the TRS without the individual’s prior agreement, the individual will have an opportunity to agree or object at the outset of the call. Typically, the CA will begin the call by identifying the service to the party called, and if that party is unfamiliar with the TRS, the CA will briefly explain how the service operates. This initial contact by the CA provides the individual with the opportunity to agree to the disclosure by proceeding with the call using the TRS, or to object by terminating the call. See 45 CFR 164.510(b)(2)(i)-(ii).
Must a covered health care provider obtain an individual’s authorization to use or disclose protected health information to an interpreter?2020-09-10T20:09:26-04:00

No, when a covered health care provider uses an interpreter to communicate with an individual, the individual’s authorization is not required when the provider meets the conditions below. Covered entities may use and disclose protected health information for treatment, payment and health care operations without an individual’s authorization, 45 CFR 164.506(c). A covered health care provider might use interpreter services to communicate with patients who speak a language other than English or who are deaf or hard of hearing, and provision of interpreter services usually will be a health care operations function of the covered entity as defined at 45 CFR 164.501.

When using interpreter services, a covered entity may use and disclose protected health information regarding an individual without an individual’s authorization as a health care operation, in accordance with the Privacy Rule, in the following ways:

  • When the interpreter is a member of the covered entity’s workforce (i.e., a bilingual employee, a contract interpreter on staff, or a volunteer) as defined at 45 CFR 160.103;
  • When a covered entity engages the services of a person or entity, who is not a workforce member, to perform interpreter services on its behalf, as a business associate, as defined at 45 CFR 160.103. A covered entity may disclose protected health information as necessary for the business associate to provide interpreter services on the covered entity’s behalf, subject to certain written satisfactory assurances set forth in 45 CFR 164.504(e). For instance, many providers including those that are recipients of federal financial assistance and are required under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to persons with limited English proficiency — will have contractual arrangements with private commercial companies, community-based organizations, or telephone interpreter service lines to provide such language services. If a covered entity has an ongoing contractual relationship with an interpreter service, that service arrangement should comply with the Privacy Rule business associate agreement requirements.

In addition, a covered health care provider may, without the individual’s authorization, use or disclose protected health information to the patient’s family member, close friend, or any other person identified by the individual as his or her interpreter for a particular healthcare encounter. In these situations, that interpreter is not a business associate of the health care provider. As with other disclosures to family members, friends or other persons identified by an individual as involved in his or her care, when the individual is present, the covered entity may obtain the individual’s agreement or reasonably infer, based on the exercise of professional judgment, that the individual does not object to the disclosure of protected health information to the interpreter. 45 CFR 164.510(b)(2).

For example, if a covered health care provider encounters a patient who speaks a language for which the provider has no employee, volunteer member of the workforce or contractor who can competently interpret, but then is able to identify a telephone interpreter service to communicate with the patient, the provider may contact the telephone interpreter service and identify the language used by the patient, so that the interpreter may explain to the patient that the interpreter is available to assist the patient in communicating with the provider. If the provider reasonably concludes that the patient has chosen to be assisted by the interpreter, and, by the patient’s willingness to continue the health care encounter using the interpreter, reasonably infers that the individual does not object to the disclosure, protected health information may be disclosed in accordance with 45 CFR 164.510(b) without a business associate contract.

Organizations that are subject to both HIPAA and Title VI must comply with the requirements of both laws, though not all HIPAA covered entities are recipients of federal financial assistance and thus, required to comply with Title VI; and not all recipients of federal financial assistance are also HIPAA covered entities, subject to the Privacy Rule. For information about the obligation of recipients of federal financial assistance to take reasonable steps to provide meaningful access to persons who are limited English proficient, see Guidance to Federal Financial Assistance Recipients Regarding Title VI Prohibition Against National Origin Discrimination Affecting Limited English Proficient Persons. This guidance includes information for recipients of federal financial assistance about important considerations for determining the competency of interpreters, such as their understanding of applicable confidentiality requirements, that should be taken into account when using interpreters arranged by the provider or when individuals elect to use friends, family or others as interpreters. HIPAA covered entities may also be required to comply with the Americans with Disabilities Act and/or Section 504 of the Rehabilitation Act of 1973, both of which have requirements for the provision of sign language and oral interpreters for people who are deaf or hard of hearing.

Copyright 2017 - 2023 | All Rights Reserved | HIPAATemplates.com
Go to Top