There are many cases where patients cannot receive information about their health; they are represented by relatives or their spouses when you need to reveal personal information. Healthcare providers are confused about whether to share protected health information (PHI). Considering the Health Insurance Portability and Accountability Act (HIPAA) is straightforward in safeguarding health information leaking to unauthorized individuals. How can you engage with patients’ families while remaining HIPAA compliant?
Healthcare is unpredictable, especially if it involves sharing a patient’s health information. There are various scenarios where disclosing to a patient’s family is inevitable. For example, you discuss a sensitive topic with your patient regarding their health via live video over a telemedicine visit. When a relative walks in and tries to join the conversation, what do you do? In another instance, a patient’s family member calls you to request access to view the patient’s medical history related to substance abuse. Would you permit it?
To provide the best and most appropriate answer to these scenarios and others like it, let’s look at some HIPAA regulations about sharing health information with relatives.
The ultimate guiding rule of HIPAA about disclosing PHI is that it is the patient’s decision. Some patients are particular about their choices on how much and to what extent they are willing to share their health information with their families. According to the HIPAA Privacy Rule, a covered entity may share health information with a spouse or family member the patient identifies.
So, what do you do when a relative walks in during a telemedicine consultation? You must ask your patient if they want to continue the conversation in the presence of another person. If they agree, you may do so because you have their consent.
To be clear, HIPAA allows you to discuss a patient’s treatment or condition in the presence of a family member only if the patient permits it or doesn’t object when given the opportunity. Verbal agreements are allowed to include a relative in the consultation. Best practices require you to document that agreement in the patient’s medical record afterward.
Here are other cases where providers need to choose whether or not to share PHI and additional related information with relatives.
When a patient is unconscious or incapacitated due to an accident, illness, or incapable of making healthcare decisions, HIPAA says that you can discuss care treatment with kin when, in exercising professional judgment, you determine that doing so is in the best interest of the patient.
Additionally, the HIPAA Privacy Rule permits a covered entity, based on professional judgment and experience with common practice, to allow a relative to act on behalf of the patient to pick up prescriptions, laboratory test results, medical supplies, or other forms of PHI.
If a patient does not permit a close family member to know about their medical condition or treatment, you must respect this decision and follow your patient’s order. However, suppose the patient is a minor. In that case, HIPAA defers the state law that says parents and guardians are personal representatives of a minor child, which means they must know about their child’s condition and make decisions about their healthcare.
In other cases, if the patient passes away, you may disclose information to the family, as long as it does not go against any preference the patient expressed when they were alive. Follow the minimum necessary rules provided by HIPAA only to disclose health information relevant to the relative’s involvement in the deceased patient’s care or payment for care.
HIPAA permits a covered entity to disclose PHI to an involved family member about the patient’s location, general condition, or death. However, make sure that the family member is involved in the patient’s care or payment of care, or the patient personally asked them to involve themselves in their care. It is important to note that HIPAA doesn’t require you to obtain the caller’s proof of identity. But, depending on your experience and professional judgment, you may establish rules for verifying who is on the phone.
Remember, with a patient’s permission, HIPAA allows a healthcare provider to share health information with a relative face-to-face, over the phone, via texts, or in writing, but may only share limited information that the family member needs to know about the patient’s healthcare or payment for their care. For example, you must not tell a relative about a past medical problem unrelated to the patient’s current condition.
Based on these discussions about engaging with patients’ families while remaining HIPAA compliant, it is clear that the following conditions are crucial to your decisions about talking to family members:
Also, the HIPAA Privacy Rule does not require a healthcare provider to obtain a patient’s written consent when they agree to disclose PHI to a relative. However, you are free to get or document the patient’s agreement in writing, or you may note it in the patient’s medical record.
Suppose you have to disclose PHI to a family member via text message. In that case, the HIPAA Security Rule requires appropriate technical measures to ensure the confidentiality and security of electronic PHI (ePHI). To ensure that your practice complies with the standards of the Security Rule, you must use a HIPAA-compliant system to text a patient’s family member without having to worry about disclosing PHI.