The United States Department of Health and Human Services (HHS) provides a helpful set of questions and answers on its website regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health care professionals should note that this guidance is informal and may be updated or withdrawn. In addition, state laws may differ on these issues. Below, we highlight five questions and answers from the HHS website.
May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?
Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail, by phone, or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual's privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name, number, and other information necessary to confirm an appointment, or ask the individual to call back.
A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual's care, even when the individual is not present. However, covered entities should use professional judgment to ensure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).
In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).
Created 12.19.02
Content reviewed last December 28, 2022
Does the HIPAA Privacy Rule permit a doctor to discuss a patient's health status, treatment, or payment arrangements with the patient's family and friends?
Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient in the patient's care or payment for health care. If the patient is present or is otherwise available prior to the disclosure and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:
- A doctor may give information about a patient's mobility limitations to a friend driving the patient home from the hospital.
- A hospital may discuss a patient's payment options with her adult daughter.
- A doctor may instruct a patient's roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
- A physician may discuss a patient's treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.
Even when a patient is not present—or when emergency circumstances or the patient's incapacity make it impracticable for the covered entity to ask the patient about discussing their care or payment with a family member or other person—the covered entity may share this information if, in the exercise of professional judgment, it determines that doing so is in the patient's best interest. See 45 CFR § 164.510(b).For example:
- A surgeon may, if consistent with such professional judgment, inform a patient's spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient's progress and prognosis.
- A doctor may, if consistent with such professional judgment, discuss an incapacitated patient's condition with a family member over the phone.
In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient's best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.
Created 11.3.03
Content reviewed last December 28, 2022
If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?
HIPAA does not require proof of identity in these cases. However, your health care provider may have his or her own rules for verifying who is on the phone. You may want to ask your provider about her or his rules.
Created 9.16.08
Content last reviewed July 26, 2013
Does HIPAA require that a health care provider document a patient's decision to allow the provider to share his or her health information with a family member, friend, or other person involved in the patient's care or payment for care?
No. HIPAA does not require that a health care provider document the patient's agreement or lack of objection. However, a health care provider is free to obtain or document the patient's agreement, or lack of objection, in writing if he or she prefers. For example, a provider may choose to document a patient's agreement to share information with a family member with a note in the patient's medical file.
Created 9.16.08
Content last reviewed July 26, 2013
If a patient's family member, friend, or other person involved in the patient's care or payment for care calls a health care provider to ask about the patient's condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?
No. If the caller states that he or she is a family member or friend of the patient or is involved in the patient's care or payment for care, then HIPAA doesn't require proof of identity. However, a health care provider may establish his or her own rules for verifying who is on the phone. In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.
Created 9.16.08
Content last reviewed July 26, 2013
Professionals must realize that government guidance does not always consider the risks and challenges involved in responding to a government review. We always advise that patient consents be documented in a timely manner and in a retrievable source. Moreover, health care entities should have policies that provide direction and guidance to staff for these scenarios. Finally, a determination of HIPAA risk by your Privacy Officer should always consider the interactions between staff, patients and third parties. This review may also provide insights into the need for training or informal education. We recommend a regular review of your HIPAA compliance program.
For more information please contact Grant Dearborn or another member of Shumaker’s Health Law Service Line.