Paubox blog: HIPAA compliant email made easy

Communicating with a patient's loved ones under HIPAA

Written by Kirsten Peremore | August 22, 2024

Friends and family of a patient may need information when they are involved in care or need to make decisions on behalf of the patient. HIPAA permits this information sharing under certain conditions. 

 

How HIPAA regulates information sharing

The Privacy Rule under section 45 CFR 164.510(b) sets clear guidelines regarding how protected health information (PHI) can be shared with a patient's family and friends. If the patient is present and capable of making decisions providers can share information with others, so long as the patient agrees or does not object. For instance, if a patient brings someone with them to their appointment, the doctor may discuss care details with both individuals. 

The Department of Health and Human Services (HHS) also permits healthcare providers to use their professional judgment to update family members about health developments. 

 

Conditions for legally sharing PHI with family members 

  • The patient is present and can make health care decisions.
  • The patient agrees to the sharing of their PHI with family members.
  • The patient does not object when allowed to do so.
  • The health care provider can reasonably infer, based on professional judgment, that the patient does not object.
  • In emergencies or when the patient is incapacitated, the provider determines that sharing PHI is in the best interest of the patient.
  • The information shared is relevant to the family member's involvement in the patient's care or payment for care.

 

Best practices

  1. Verify relationships and involvement: Always verify the identity and relationship of the person you are speaking with before disclosing any PHI. Confirm they are involved in the care or payment for the patient.
  2. Use minimal necessary information: Disclose only the minimum necessary information the family member or friend needs to assist with the patient's care or payment issues.
  3. Obtain written consent: Whenever possible, obtain written consent from the patient allowing specific family members or friends to receive information about their health. 
  4. Secure communications: Use secure methods for communicating PHI, such as HIPAA compliant email or similarly compliant text messaging.
  5. Establish patient preferences: Discuss with patients their preferences regarding which family members or friends should receive information about their health. Document these preferences clearly in their medical record.

 

FAQs

What is the minimum necessary standard?

The minimum necessary standard requires that healthcare providers access and share only the personal health information needed to perform their jobs.

 

What is consent?

Consent is the agreement a patient gives to allow their health information to be used or shared for specific purposes.
View full post