July 10, 2020

Volume X, Number 192

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

HIPAA-Phobia with Friends and Family: Understanding Is the Cure

Eighteen years after the Health Insurance Portability and Accountability Act (HIPAA) became effective, too many health care providers continue to frustrate patients, their families and their friends by refusing to provide — or, in some cases, to even receive — protected health information (PHI) about the patient for fear of violating the law. Such frustration is entirely unnecessary. 

HIPPA does not, and never has, prohibited a health care provider — a "Covered Entity" under HIPAA — from sharing protected health information about a patient with the patient's family or friends, unless the patient has asked that such information be withheld from someone. The misapplication of HIPAA has become so frustrating to so many that Congress is considering passing a HIPAA amendment to clarify what the Department of Health and Human Services (DHHS) has already said: HIPAA has never prohibited sharing such patient information with patients’ families and friends.

DHHS bulletins on this subject expressly state that a Covered Entity under HIPAA may discuss a patient's protected health information with a patient's family, friends or others involved in the patient's care even if the patient is not present or if the patient is incapacitated. The only restriction is that when someone other than a friend or family member is involved, the Covered Entity must be reasonably sure that the patient asked that person to become involved in his or her care or payment for care, and may discuss only the information that the person needs to know about the patient's care or payment.

DHHS also has stated that Covered Entities may only discuss the patient's current medical issue related to the patient's current condition, and should avoid discussing past medical problems. And while DHHS has noted that a health care provider is not required by HIPAA to share protected health information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure, HIPAA also does not prevent a Covered Entity from sharing such PHI when the patient is not present or is incapacitated. Additionally, DHHS takes the position that Covered Entities are not required to document a patient's decision to allow the Covered Entity to share information with a family member, friend or other person, although a Covered Entity is free to do so if it so wishes.

This relatively free exchange of patient information extends to discussions in person, by phone or in writing. HIPAA does not require a Covered Entity to obtain proof of who the person asking about a patient's condition is before providing them with that information, although the Covered Entity may establish its own rules for verifying to whom they are talking. 

Additionally, as a practical matter, remember that patients cannot sue health care providers under HIPAA. Rather, if a patient believes that a HIPAA violation has occurred, they may report their allegations to either DHHS or to their state attorney general. Given DHHS's clear guidance on communicating with patient's families and friends, Covered Entities should feel confident that communicating with patient's families and friends will not result in any HIPAA enforcement action.

© 2020 Much Shelist, P.C.National Law Review, Volume V, Number 259


About this Author

Robert Neiman, health care regulatory counseling attorney, Much Shelist, Law Firm


Bob Neiman, co-chair of the firm’s Health Care practice, is an experienced litigator who focuses his practice on health care regulatory counseling and litigation, employment-related counseling and litigation, and commercial litigation, including insurance coverage matters and other business disputes.

Bob thinks like a businessman, not just a lawyer. After considering the legal ramifications of a business problem, Bob's strength is taking his lawyer's hat off and helping clients decide on the most practical and cost-effective way to solve the business problem.


(312) 521-2646