HIPAA allows contacting a patient’s emergency contact or family members in situations where the patient is unable to consent, using professional judgment to determine if the disclosure is in the patient’s best interest. Providers must share only the minimum necessary information, verify the contact’s identity, and use secure communication methods, such as phone calls with limited details or encrypted emails if appropriate. Additionally, all communications should be thoroughly documented for compliance.
The Privacy Rule under section 45 CFR 164.510(b) sets clear guidelines regarding how protected health information (PHI) can be shared with a patient's family and friends. If the patient is present and capable of making decisions providers can share information with others, so long as the patient agrees or does not object. For instance, if a patient brings someone with them to their appointment, the doctor may discuss care details with both individuals.
However, there are exceptions, particularly if the patient is incapacitated or in a situation where they cannot provide consent. In such cases, healthcare providers may exercise professional judgment to determine if disclosing limited information is in the best interest of the patient. The Physicians Practice explains that providers “can share patient information in an emergency to treat the patient, protect the public, and for other critical purposes.”
Use the contact information provided by the patient in their medical record or intake form. Verify the identity of the person you’re contacting by asking simple, non-sensitive questions, like their relationship to the patient to protect patient privacy further.
When sharing patient information with family members or emergency contacts, the minimum necessary rule requires that you only disclose basic information relevant to the current situation. For example, if informing an emergency contact that a patient has been admitted for observation, avoid providing unrelated details about the patient’s medical history. Keeping information brief and relevant protects privacy while conveying critical updates.
Choose secure communication methods to ensure HIPAA compliance. Phone calls are generally acceptable, provided they are made using the patient’s verified emergency contact number. When leaving a voicemail, avoid sharing detailed medical information.
For electronic communication, HIPAA encourages using secure messaging platforms or encrypted email as offered by Paubox. These methods protect patient information from unauthorized access. Avoid using unencrypted emails or standard text messages, as these lack the necessary security protections. When family members are physically present, conduct discussions in private areas to prevent unauthorized parties from overhearing sensitive information.
Maintaining clear documentation of communications with emergency contacts or family members helps maintain HIPAA compliance and provides a record for future reference. Record the date, time, and content of the conversation, including why it was necessary to share specific details. This documentation can sustain accountability and be a reference if any questions arise about the communication.
HIPAA compliant communication practices should be part of regular staff training. That includes guidance on verifying contacts, maintaining privacy, limiting information, and choosing secure communication methods. Regularly updating staff on HIPAA requirements and communication protocols helps create a consistent approach and reduces the risk of unauthorized disclosures. Healthcare organizations should develop clear protocols to standardize these practices and protect patient privacy.
In critical situations, providers can use professional judgment to contact a close family member if it’s considered necessary and in the patient’s best interest.
HIPAA generally discourages text messaging due to security risks. If text communication is used, it should be through a HIPAA compliant platform, limited to minimal information without sensitive details, and patient or contact preferences should be respected.