Consent to share medical information with family member

Such questions come up often for the family caregivers of aging adults. Common situations include:

• An older parent who starts to act in ways that are strange or worrisome, such as becoming paranoid or delusional.
• An older adult who seems to be physically or mentally declining, but seems reluctant to discuss the situation
• A hospitalization or emergency room visit
• A hospitalized older person becoming confused (this would be delirium) and becoming no longer able to explain to family what the doctors have said

In these situations, family caregivers often find themselves grappling with issues related to the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.

Why all the grappling?

Well, although most people — and all clinicians — have heard of HIPAA, its rules and requirements are often misunderstood. So for instance, families may assume they can’t report a relative’s worrisome behavior to the doctor, because their relative hasn’t given them permission to do so.

Even worse:  doctors and other clinicians sometimes refuse to disclose any information to families, and will incorrectly claim that HIPAA doesn’t allow them to do so. This can create extra confusion and stress for families, or can even sometimes put an older person at risk for harm.

If you’ve been concerned about an aging parent’s health, or are otherwise helping someone with their health concerns, then it can be very helpful to understand HIPAA better.

In fact, the American Bar Association includes “Know your rights of access to health information” among its Ten Legal Tips for Caregivers.

The detailed ins and outs of HIPAA can indeed be hard to fully understand. But, it’s not too hard to learn some practical basics, especially since the US Department of Health and Human Services (HHS) provides a Summary of the Privacy Rule here, and maintains a truly useful set of online FAQs about HIPAA here.

In this article, I’ll explain five useful key basics to help you understand HIPAA better, especially when it comes to getting information as a family caregiver.

I’ll also address five questions I’ve often heard family caregivers ask about HIPAA.

At the end, I’ll share some of my favorite online HIPAA resources, as well as some final tips to keep in mind.

5 Key Basics About HIPAA

1. What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996. Among other things, HIPAA required the Department of Health and Human Services (HHS) to create a federal “Privacy Rule” for health providers and health plans, governing how these entities must protect the privacy of an individual’s medical information.

Usually, when people refer to HIPAA, they are actually referring to the HIPAA Privacy Rule created by HHS.

The HIPAA Privacy Rule basically says that “covered entities” must take certain steps to keep a person’s health information confidential and secure.

“Covered entities” means health providers, health insurers, and many other professionals whose daily work involves the handling of individuals’ medical information.

Private citizens and family caregivers are not “covered” by the Privacy Rule. This means that you do not have to maintain your — or your older parent’s — health information confidential in the same way that health providers do.

Exactly how “covered entities” should comply with the Privacy Rule can get pretty complicated to explain. What is most important for you to know is that this often — but not always — means taking steps to make sure that patients are in agreement, before their health information is shared with other people.

Overall, HIPAA is intended to balance a person’s right to privacy with the need for health providers to communicate with others, in order to properly care for a patient and act in the patient’s best interest.

To read about the rule in more technical detail, see here: Summary of the HIPAA Privacy Rule.

To read a good plain-English summary of your rights (as an individual) under HIPAA, see here: Your Rights Under HIPAA.

2. What information is protected by HIPAA?

HIPAA’s Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity, no matter what form it is in. So HIPAA applies whether a person’s health information is held or disclosed electronically, orally, or in written form.

A person’s health information is often referred to as “protected health information.” This covers information that relates to:

• a person’s past, present or future physical or mental health or conditions
• any health care provided to a person (e.g. clinical notes or lab results related to a person’s medical care)
• past, present, or future payments related to a person’s health care (e.g. billing records)

In other words, this is information created by, or stored by, healthcare providers and insurers.

HIPAA also covers demographic data and any information that can be used to identify a person, such as names and addresses.

If you are a family caregiver, remember that you are not a “covered entity.” Hence you aren’t responsible for protecting health information in the same way that your relative’s doctor is.

3. What to know about HIPAA’s rules on the disclosing of protected health information

You’ll be able to sort out health information disclosure issues more easily if you understand a few fundamentals about HIPAA’s rules on these issues.

According to the HHS Summary of the HIPAA Privacy Rule: “A covered entity may not use or disclose protected health information, except either:

(1) as the Privacy Rule permits or requires; or
(2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.”

In other words, doctors are allowed to disclose health information if a person authorizes it in writing, or if the Privacy rule otherwise permits or requires such disclosure.

Now, let’s address the difference between being required and being permitted to disclose, because that is really at the heart of a lot of HIPAA confusion.

The difference is that when doctors are required to disclose, then they have to do it, whether or not they want to.

Whereas when they are permitted to disclose, they are allowed to do it, but they don’t have to. (Which means, they might refuse to do it, and they are legally allowed to do so, unless other federal, state, or local laws apply.)

You now probably will want to know: under what circumstances are health providers required or permitted to disclose health information?

Required disclosures of health information. Health providers must disclose protected health information in these two situations:

• When individuals — or their personal representatives — request access to their protected health information. Individuals can also request an accounting of disclosures, which means the covered entity has to tell a person with whom the information was shared.
• When the Department of Health and Human Services requests information, as part of a compliance audit or enforcement investigation.

In short: if you request it, your doctors must give you copies of your health information. This is known as the “Right of Access.” You can learn more about your rights to view or obtain copies of your health information here: Individuals’ Right under HIPAA to Access their Health Information.

And if you are the durable power of attorney for healthcare for your relative, and if you are currently authorized to act, you have the right to request and obtain your relative’s health information.

Permitted disclosures of health information. Under certain circumstances, health providers are allowed — but not required — to disclose information, without obtaining the patient’s written permission.

Now here’s where things start getting trickier, because the list of permitted circumstances is much longer and more complicated than the list of required disclosures.

If you want to learn about all the permitted disclosures and uses, you can do so by reading the HHS Summary of the Privacy Rule.

But I think it’s more useful to learn from the FAQs that HHS has published online, especially the ones created to guide doctors and other healthcare professionals. I will share some of the more useful ones in the next section, when I address FAQs based on the questions I’ve had people ask me.

For now, the main thing you should know is this: in many cases, health providers are allowed, but not required, to disclose health information to others, even if a patient doesn’t give written or verbal permission for this.

As you will see below, when we go through some FAQs, doctors are allowed to use their clinical judgment and disclose information when a patient lacks capacity to give consent, if the clinician decides that the disclosure is in the best interest of the patient.

4. What to know about HIPAA’s “minimum necessary” requirement

The HIPAA Privacy Rule describes a principle of “minimum necessary” use and disclosure:

“A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.”

Basically, this means that when health providers disclose health information to someone other than the patient, they can’t just disclose anything and everything about their patient’s health. Instead, they should only share on a “need to know” basis, and focus on what’s relevant and necessary.

Note that the minimum necessary requirement does not apply to all disclosures. The Privacy Rule summary lists six situations as exempt, including “disclosure to or a request by a health care provider for treatment.”

In short, if your doctor refers you to another doctor, she can send your whole medical chart along. But, if a doctor is speaking to your family while you are sick in the hospital, the doctor is only allowed to disclose what is necessary and relevant to your current hospitalization and care needs.

5. What is a “HIPAA release”?

Many health providers and other covered entities will require a person to sign a written authorization, before they disclose protected health information. This is sometimes called a HIPAA release, a HIPAA waiver, or a release of information authorization.

Interestingly, the HIPAA Privacy rule itself does not require health providers to do this. Instead, per the Summary:

‘Obtaining “consent” (written permission from individuals to use and disclose their protected health information for treatment, payment, and health care operations) is optional under the Privacy Rule for all covered entities. The content of a consent form, and the process for obtaining consent, are at the discretion of the covered entity electing to seek consent.’

In other words, although it’s extremely common for health providers to ask patients to sign written authorizations before disclosing health information, such written consent is not actually required by HIPAA.

Instead, a requirement for written consent usually reflects a clinic’s policies, or perhaps the preference of an individual clinician. Understandably, clinicians want to avoid being accused of failing to protect a patient’s confidentiality.

5 Useful Caregiver FAQs about HIPAA and the Disclosure of Health Information

1. Is written permission always required, for a doctor to be able to talk to me about my older parent’s health?

Nope! As noted above, for permitted disclosures of health information, HIPAA does not require that a patient give written permission.

Instead, clinicians are allowed to use a patient’s verbal consent.

HIPAA also says it’s ok for clinicians to give patients an opportunity to object and to proceed if they don’t object, or even to “reasonably infer, based on professional judgment, that the patient does not object.”

Personally, I have often spoken to a patient’s adult children on the phone, because the patient told me it was okay to do so. However, I usually document in my clinical note that the patient said it was fine to talk to his or her children.

Last but not least, if a patient is not present or if it’s “impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person,” HIPAA says that clinicians can disclose information if they determine that doing so is in the best interest of the patient.

In short, HIPAA allows health providers to have a lot of leeway, when it comes to disclosing medical information to family and others. However, those disclosures will usually have to comply with the “minimum necessary” rule.

Most state laws are similar to HIPAA, but in some states, requirements may be more stringent.

You can find more details through these FAQs:

If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?

If I am unconscious or not around, can my health care provider still share or discuss my health information with my family, friends, or others involved in my care or payment for my care?

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Do I have to give my health care provider written permission to share or discuss my health information with my family members, friends, or others involved in my care or payment for my care?

If the patient is present and has the capacity to make health care decisions, when does HIPAA allow a health care provider to discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care?

2. Can doctors talk to me about my older parent’s health during an emergency?

Yes, HIPAA allows this type of disclosure. So doctors are permitted to update you about your parent’s health during an emergency.

Furthermore, HIPAA does not require providers to ask family caregivers for proof of identity, before disclosing information.

That said, just because doctors are permitted to disclose information to you doesn’t mean they have to do it. As this FAQ notes, “a health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.”

For more information:

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

If the patient is not present or is incapacitated, may a health care provider still share the patient’s health information with family, friends, or others involved in the patient’s care or payment for care?

If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?

3. My older parent doesn’t want his doctor to talk to me. What can I do?

This question tends to come up when a family has become concerned about an older person’s mental and/or physical decline. Some older adults will resist their family’s desire to communicate with the doctor. So what can be done?

First of all, as a family member, remember that you are not a “covered entity.” So whether or not a doctor is permitted to disclose information to you, HIPAA does not prevent you from contacting your parent’s doctor and relaying any concerns or information you have.

You can even ask questions; the doctor probably won’t answer them, but it’s good for your parent’s doctor to know what kind of questions your family has.

Otherwise, if your parent has specifically told his doctor to not talk to you, then there are a couple of angles you can consider:

• Consider the possibility of incapacity. HIPAA does permit doctors to disclose information to family when a patient is incapacitated or otherwise unable to consent to the disclosure.
  • If you think your parent might be incapacitated by cognitive decline, delirium, or another medical problem, ask the doctor to consider this.
  • You can start by voicing concerns in a phone call, but it’s best to eventually put them in writing, because your letter will normally end up scanned into your parent’s medical chart. Be sure to include information on concerning behaviors of incidents that you have observed (such as any of these: 8 Behaviors to Take Note of if You Think Someone Might Have Alzheimer’s).
  • You can learn more about incapacity here: Incompetence & Losing Capacity: Answers to 7 FAQs

• Has anyone been designated as durable power of attorney for healthcare? HIPAA allows a patient’s representative to request health information.
  • Check any durable power of attorney documentation to see under what circumstances the agent has authority to act. Most documents require the older person to be incapacitated, but some allow the agent to act right away.

Of course, even if you are legally permitted to seek information about your parent’s health, your parent is likely to be angry about your doing so. The decision to override an older person’s decision or preferences is a serious one, and should only be considered under special circumstances.

If you have good reason to believe your parent’s insight and judgment are impaired, then it may be ethically reasonable to override their preference for privacy and take actions that will help them achieve their health and safety goals. Just be sure to think through the benefits and risks of your available options carefully, before you proceed.

Of course, what is better is that older adults plan ahead and tell their children what they should do if their older parent ever seems to be ill or mentally impaired, and refuses assistance. But as most seniors don’t get around to doing this, family caregivers do sometimes have to consider some difficult trade-offs when it comes to privacy versus health, safety, or other goals.

Relevant HIPAA FAQs and other information:

If the patient is not present or is incapacitated, may a health care provider still share the patient’s health information with family, friends, or others involved in the patient’s care or payment for care?

Under HIPAA, when can a family member of an individual access the individual’s PHI from a health care provider or health plan?

Incompetence & Losing Capacity: Answers to 7 FAQs

4. Does a power of attorney for healthcare give me the right to access my parent’s health information?

HIPAA gives a patient’s  authorized “personal representative” the right to access information. A personal representative is defined as a person authorized, under State or other applicable law, to act on behalf of the individual in making health care related decisions.

So yes, if you are the durable power of attorney for healthcare, then you will have a right to access your parent’s health information, provided you are currently authorized to act.

A power of attorney document should specify under what conditions the agent can act. Some are “springing,” which means the agent can only act if the “principal” (the person signing the document) is incapacitated.

But other durable power of attorney documents may allow the agent to have authority to act right away. In this case, you can act unless there is a conflict with what the principal says (assuming the principal has not been deemed incapacitated).

For more information:

Guidance: Personal Representatives

Individuals’ Right under HIPAA to Access their Health Information

Addressing Medical, Legal, & Financial Advance Care Planning

5. My parents want their doctors to share health information with me. How can we make sure the doctors do this?

The best approach is for your parents to bring this up with their doctors and ask what should be documented, to ensure this.

Even though HIPAA itself does not require patients to provide written authorization in order to disclose information to family, clinicians usually feel more comfortable disclosing information if the patient has put something in writing. Many clinics have forms available for this purpose.

Another thing to consider is having your parents designate you as durable power of attorney for health. Consider having your parent indicate that your authority is effective immediately, rather than upon incapacity. (This is an option on health POA forms in California.) This will confirm your status as their “personal representive,” when it comes to requesting access to their medical information.

For more information:

How can I help make sure my health care providers share my health information with my family, friends, or others involved in my care or payment for my care when I want them to?

Super Useful HIPAA Resources

I’ve tried to cover the practical basics for caregivers in this article, but of course, there’s a lot more to HIPAA and medical privacy. As of 2020, there has also been additional guidance provided related to COVID, which you can find here: HIPAA and COVID-19.

Here are some of my favorite resources.

HIPAA Resource List

Your Rights Under HIPAA

A Patient’s Guide to the HIPAA Privacy Rule: When Health Care Providers May Communicate About You with Your Family, Friends, or Others Involved In Your Care

HIPAA FAQs for Individuals

HIPAA FAQs for Professionals: Disclosures to Family and Friends

California Civil Code (regarding disclosures to family): CHAPTER 2. Disclosure of Medical Information by Providers

Individuals’ Right under HIPAA to Access their Health Information (Includes FAQs)

Next Step in Care Guide: HIPAA: Questions and Answers for Family Caregivers

Final Tips

Here are a few final tips for you to keep in mind, if you ever want to talk to a doctor about a relative’s healthcare.

• Plan ahead if possible.
  • Older people should consider how their family might be able to communicate with doctors in the event of an emergency, or even in the event of developing memory or thinking problems.
  • Find out how your family’s usual doctors and health providers will be most comfortable disclosing health information. Complete release of information forms ahead of time if possible.
  • Every older person should complete a durable power of attorney form for healthcare. Consider giving the agent authority to act immediately; this will enable the agent to request medical records even if the older person has not been proven to be incapacitated.

• Consider researching your state’s laws governing disclosure of health information to family and friends.
  • Many states have laws similar to HIPAA, but some may impose additional restrictions.

• Be prepared to politely help inform clinicians of what HIPAA permits. Some clinicians may not realize that HIPAA does allow them to talk to you about your relative’s health, depending on the circumstances.
  • Consider printing out a copy of the relevant HHS HIPAA FAQs for Professionals: Disclosures to Family and Friends.
  • For a good NPR story confirming that hospital employees and health providers often do NOT understand your access rights: It’s Your Right To See Your Medical Records. It Shouldn’t Be This Hard To Do.
  • Remember that although HIPAA permits clinicians to disclose information under many circumstances, such disclosures are not required. Clinicians are only required to disclose health information when a patient — or authorized representative — requests this, based on the patient’s right of access.

This article was first published in August 2017 and was last reviewed and updated in March of 2022.

When can you share information about a patient?

What are examples of Hipaa violations?

Which of the following is not considered PHI?