Here are the key HIPAA rules that apply to disclosures of protected health information (PHI) to family members:
HIPAA Rules for Disclosures of PHI to Family Members
HIPAA allows healthcare providers to share relevant PHI with family members or others involved in a patient’s care or payment for care, with some important conditions:
- If the patient is present and has capacity, the provider must obtain the patient’s agreement or give the patient an opportunity to object before disclosing PHI.
- If the patient is not present or lacks capacity, the provider may disclose PHI if the provider determines it’s in the patient’s best interest.
- Providers should limit disclosures to information directly relevant to the person’s involvement in the patient’s care or payment.
Specific Situations
- Personal Representatives: A person with legal authority to make healthcare decisions for a patient (e.g. parent of a minor, spouse of an incapacitated adult) generally has the same rights to access information as the patient.
- Facility Directories: Limited information like a patient’s location in a facility may be disclosed to visitors, unless the patient objects.
- Emergency Situations: Providers may notify family members or others involved in the patient’s care about a patient’s location, general condition, or death.
- Payment: Providers may share necessary PHI with family members involved in paying for care.
Key Points for Families
- HIPAA does not automatically give family members the right to access patient records.
- Patients can designate family members as personal representatives to access their information.
- Providers have discretion in many cases to determine what information to share with family members.
- Patients have a right to instruct providers that their PHI not be disclosed to certain family members.
The goal is to balance patient privacy with allowing appropriate information sharing to facilitate care and family involvement. Providers should use professional judgment while respecting patient preferences regarding disclosures to family members. It is always best practice to obtain the clear consent of the patient (whenever possible) before making disclosures of PHI to family members.
It is important for HIPAA training to teach healthcare providers and anyone who handles PHI about these rules — and more generally, about which disclosures are permissible. Please contact us if you would like to learn more about our HIPAA training.
Since its founding by Professor Daniel J. Solove in 2010, TeachPrivacy has provided training for hundreds of organizations, boutique to Fortune 500, both nationwide and globally. A leading international expert in privacy law, Solove is a law professor at George Washington University Law School, has authored more than 10 books and more than 50 articles, as well as given lectures around the world. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.