HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Can healthcare organizations share patient information with a caller?

Written by Kirsten Peremore | Oct 15, 2024 10:24:57 AM

Healthcare organizations can share a patient's information with a caller if the patient has agreed to it and the caller follows specific privacy rules.

 

What HIPAA says 

The provisions of 45 CFR 164.510(a) guides healthcare organizations in managing and sharing a patient's location or directory information with callers or other third parties. This section of HIPAA allows hospitals to inform someone about a patient’s location and general condition if the patient has not objected to being included in the directory. 

For instance, if you are admitted to the hospital and agree to be listed in their patient directory, the hospital can tell callers where you are and provide a basic update on your health status, such as describing your condition as "stable" or "critical." Information sharing is designed to keep your family and friends informed during your hospital stay, without compromising your privacy. 

 

The conditions for sharing patient's information with callers

According to HHS guidance, “The Privacy Rule permits covered entities to maintain more than one type of patient directory, and to maintain multiple versions of them, provided that the other requirements at 45 CFR 164.510(a) - PDF also are followed.” This means that granted the following conditions are met, the information from facility directories can be shared. 

These include: 

  1. When the patient has agreed to be included in the hospital's directory.
  2. If the caller asks for the patient by name and the patient has not objected to this information being disclosed.
  3. If the information shared is limited to the patient's location within the facility and general condition (e.g., stable, critical).
  4. When sharing the information serves the patient's best interest and there are no expressed objections from the patient.
  5. If the healthcare provider reasonably believes the patient would not object to the disclosure, especially if the patient is incapacitated and unable to provide direct consent.
  6. In emergency situations where disclosing information might assist in the care or treatment of the patient.
  7. If required by law or for public health activities, provided such disclosures comply with the minimum necessary information rules under HIPAA.

 

Best practices

  1. When a patient is admitted, ask for their consent to be included in the hospital's directory and to have their information disclosed. Clearly explain what being included in the directory means and what information might be shared.
  2. Before disclosing any information, verify the identity of the caller by asking them to provide specific details about the patient (such as full name or birthdate). This ensures that information is only given to individuals who have a right to know.
  3. Only disclose the location of the patient within the healthcare facility and their general condition (e.g., stable, critical, discharged). Avoid providing specific medical details or diagnoses over the phone.
  4. Ensure that only authorized personnel have access to the patient directory and are trained on when and how information can be disclosed in line with HIPAA guidelines.
  5. Keep the patient directory up-to-date to avoid sharing incorrect information. Regular updates also help manage changes in patient consent over time.
  6. Keep a record of when patient information is disclosed, including the details of the requester and what specific information was shared. This documentation can be crucial for compliance audits and any potential disputes.
  7. Periodically reconfirm consent with long-term patients, as their preferences for privacy may change over time or with varying circumstances.
  8. Employ secure systems to manage directory information and ensure that any electronic sharing of information is encrypted by using communication methods like HIPAA compliant email.

See also: Top 12 HIPAA compliant email services

 

FAQs

What is a facility directory? 

A facility directory is a list hospitals use to track and share limited information about patients, like their location and general condition, with callers or visitors who ask for them by name.

 

What is PHI?

Protected health information includes any information that can identify an individual and relates to their health, treatment, or payment for healthcare.

 

Is a patient's condition a part of their PHI?

Yes, a patient's condition is part of their PHI because it is information related to their health status.