Eighteen years after the Health Insurance Portability and Accountability Act (HIPAA) became effective, too many health care providers continue to frustrate patients, their families and their friends by refusing to provide — or, in some cases, to even receive — protected health information (PHI) about the patient for fear of violating the law. Such frustration is entirely unnecessary. 

HIPPA does not, and never has, prohibited a health care provider — a "Covered Entity" under HIPAA — from sharing protected health information about a patient with the patient's family or friends, unless the patient has asked that such information be withheld from someone. The misapplication of HIPAA has become so frustrating to so many that Congress is considering passing a HIPAA amendment to clarify what the Department of Health and Human Services (DHHS) has already said: HIPAA has never prohibited sharing such patient information with patients’ families and friends.

DHHS bulletins on this subject expressly state that a Covered Entity under HIPAA may discuss a patient's protected health information with a patient's family, friends or others involved in the patient's care even if the patient is not present or if the patient is incapacitated. The only restriction is that when someone other than a friend or family member is involved, the Covered Entity must be reasonably sure that the patient asked that person to become involved in his or her care or payment for care, and may discuss only the information that the person needs to know about the patient's care or payment.

DHHS also has stated that Covered Entities may only discuss the patient's current medical issue related to the patient's current condition, and should avoid discussing past medical problems. And while DHHS has noted that a health care provider is not required by HIPAA to share protected health information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure, HIPAA also does not prevent a Covered Entity from sharing such PHI when the patient is not present or is incapacitated. Additionally, DHHS takes the position that Covered Entities are not required to document a patient's decision to allow the Covered Entity to share information with a family member, friend or other person, although a Covered Entity is free to do so if it so wishes.

This relatively free exchange of patient information extends to discussions in person, by phone or in writing. HIPAA does not require a Covered Entity to obtain proof of who the person asking about a patient's condition is before providing them with that information, although the Covered Entity may establish its own rules for verifying to whom they are talking. 

Additionally, as a practical matter, remember that patients cannot sue health care providers under HIPAA. Rather, if a patient believes that a HIPAA violation has occurred, they may report their allegations to either DHHS or to their state attorney general. Given DHHS's clear guidance on communicating with patient's families and friends, Covered Entities should feel confident that communicating with patient's families and friends will not result in any HIPAA enforcement action.