Navigating patient privacy with loved ones and clergy

The issue of sharing patient information with family and friends is mostly a question of the patient’s capacity to agree. Patients who are present and capable must consent to have their protected health information (PHI) shared. Conversely, in cases where patients are incapacitated, providers can exercise their professional judgment to disclose PHI in a way that is in the patient's best interest. 

Appendix H of the National Academic Press (US) notes, “Under the Family and Friends Rule, health care providers exercise substantial discretion in determining what, if any, health information can be shared. This discretion can impede caregivers' access to needed information. Variability in disclosure can depend on the health care provider's professional knowledge, familiarity with the family, personal attitudes, perceptions, and biases.”

For example, a provider can discuss post-surgery mobility needs with a relative driving the patient home but cannot share unrelated medical history with a friend. Facilities may also share a patient’s name, location, general condition, and religious affiliation with clergy through the patient directory unless the patient objects. This helps avoid favoring specific religions while enabling spiritual care (e.g., last rites). However, facilities are required to inform patients about directory policies and honor opt-out requests. 

The role of capacity in healthcare decisions

Clinical capacity is a patient's ability to understand, retain, weigh, and communicate decisions about their care. A patient with dementia, for example, may lack the capacity to consent to complex surgery but retain the ability to approve routine blood tests. From a legal standpoint, capacity has to be differentiated from competence. While courts adjudicate competence, clinicians assess capacity through structured evaluations that address four key elements. These are mentioned in a Psychological Medicine study as: 

• Understanding relevant information
• Appreciating its consequences
• Reasoning through alternatives
• Communicating a choice

Tools like the Aid to Capacity Evaluation (ACE) help standardize this process, reducing subjectivity in high-stakes scenarios (e.g., refusing life-saving treatment). However, challenges persist: cognitive assessments like the Mini-Mental State Examination (MMSE) correlate with capacity but cannot fully capture decision-making ability, as a high score does not guarantee understanding of medical risks.  

HIPAA for family and friends 

The Privacy Rule allows disclosures to family or friends only if the patient explicitly consents, does not object when given the opportunity, or if providers reasonably infer non-objection based on circumstances. For example, a provider may discuss a patient’s medication regimen with a family member present in the exam room if the patient nods in agreement or remains silent without protest. 

When patients are incapacitated or absent, providers may override objections using professional judgment to determine disclosures in the patient’s best interest. An unconscious patient’s spouse might receive updates on their condition, but only if the provider reasonably believes the disclosure aligns with the patient’s welfare. HIPAA’s emergency doctrine also allows presumed consent for unconscious patients, but non-emergent scenarios lack standardized protocols, risking inconsistent practices. 

HIPAA and the clergy 

The function of religion in healthcare is discussed in the 2006 study ‘Privacy and patient–clergy access: perspectives of patients admitted to hospital’, “Patients, however, consider spiritual and physical health to be of equal importance and recognise that spiritual needs may increase during illness. To deal with patients' desires in these topics, many hospitals rely on local clergy who make regular rounds to visit members of their congregation or those identified to be of their faith.”

Under 45 CFR §164.510, healthcare providers can share limited PHI like the patients' name, location, general condition, and religious affiliation, with clergy unless the patient explicitly objects. §164.510(a) requires that facilities inform patients of directory policies and provide an opportunity to opt-out. 

It includes sharing religious affiliation with clergy, which must be communicated during admission or via notice of privacy practices. Patients may restrict access orally or in writing, and facilities must honor these preferences. However, clergy access is not automatic; facilities must verify clergy identity (e.g., issuing badges).

The ethical questions that come with religious accommodations 

While HIPAA allows facilities to disclose religious affiliation to clergy unless patients opt out, inconsistent enforcement and overlapping state laws create ambiguity. A hospital might share a patient’s religious identity with a chaplain without explicit consent, potentially exposing them to discrimination if the chaplain’s institution holds biases against certain faiths. These practices align with critiques of “accommodation” as a tool for systemic disadvantage, where religious minorities are framed as requiring extraordinary provisions rather than being integrated into standard care protocols. 

Patient safety and equity are further strained when religious accommodations intersect with data sharing. Title VII mandates reasonable accommodations for employees’ religious practices (e.g., exemptions from flu vaccines), but these protections may clash with patient welfare during outbreaks. This is especially true considering the vague wording for sincerely held religious beliefs as, “any theistic or non-theistic system of belief that offers an answer to a fundamental life question.”

The indirect effects of the ADA religious accommodations 

Title III of the Americans with Disabilities Act (ADA) exempts “religious organizations or entities controlled by religious organizations” from its accessibility mandates (42 U.S.C. §12187),” creating a carve-out that indirectly influences how disability rights are enforced in faith-based settings. Private religious schools or nursing homes operated by churches are exempt from Title III’s reasonable accommodation requirements, leaving disabled individuals reliant on Section 504 of the Rehabilitation Act if the institution receives federal funding. It creates a patchwork system where protections depend on funding sources rather than universal standards.

How the common law privacy torts still impact data privacy even when HIPAA does not apply

Common law privacy torts are legal claims that protect people from having their personal life unfairly exposed or invaded by others. There are four main types: 

• Intrusion upon seclusion, which happens when someone invades a person’s private space (like secretly recording them at home)
• Public disclosure of private facts, which is when someone shares highly personal information that isn’t newsworthy (like medical records or financial details) without permission
• False light, which means spreading misleading or offensive information that makes someone look bad (even if it’s not outright defamation)
• Appropriation of likeness, where someone’s name or image is used for commercial gain without their consent (like using a person's photo in an ad without asking)

Intrusion upon seclusion, a tort recognized in Jones v. Tsige (2012), allows individuals to sue for unauthorized access to private information, even when HIPAA does not apply. In Byrne v. Avery Center for Obstetrics and Gynecology (2024), a Connecticut Supreme Court decision permitted a patient to pursue common law claims for negligence and emotional distress after a healthcare provider disclosed her medical records to a third party via subpoena without alerting her. 

The court ruled that HIPAA does not preempt state tort claims, it sets a “floor” for privacy rights but does not override state law remedies for breaches of confidentiality. In Byrne, the plaintiff alleged that the provider’s failure to challenge the subpoena or notify her violated a duty of care, even though HIPAA does not explicitly mandate such actions. The court allowed the claim to proceed, assuming Connecticut’s common law recognizes negligence for privacy breaches during subpoena compliance.

What are personal representatives? 

Personal representatives are individuals legally authorized under state or other applicable laws to act on behalf of a patient in making healthcare decisions, effectively “standing in the shoes” of the patient for purposes of accessing PHI. For example, a parent of an unemancipated minor, a court-appointed guardian, or a person with a valid healthcare power of attorney (POA) qualifies as a personal representative. A personal representative may exercise rights such as requesting access to PHI, authorizing disclosures, or filing complaints, but only to the extent their authority under state law permits.

How to securely share PHI with family and friends 

1. Obtain explicit consent if the patient is present and capable, either verbally or in writing, before sharing PHI.
2. Use professional judgment to disclose PHI to family/friends if the patient is incapacitated or unavailable, but only share information directly relevant to their involvement in care or payment.
3. Limit disclosures to the minimum necessary (e.g., share only the patient’s general condition, not full medical history).
4. Verify the requester’s identity (e.g., confirm their role in care) before sharing PHI, even if HIPAA does not mandate formal proof.
5. Document all disclosures in the patient’s record, including the rationale for sharing PHI without consent.
6. Respect patient objections to sharing PHI with specific individuals, even if they are family.
7. Avoid sharing PHI via unsecured channels (e.g., unencrypted email, text messages) instead opting for HIPAA compliant email and text messaging platforms like Paubox. 
8. Train staff on HIPAA guidelines for family/friend disclosures to prevent unauthorized access.
9. Use HIPAA compliant authorization forms for recurring disclosures (e.g., designating a family member as a personal representative).
10. Restrict directory information (e.g., name, location) if the patient opts out, and inform them of this right during admission.

FAQs

What PHI can be shared with family/friends?

Providers may disclose only information directly relevant to the individual’s involvement in care or payment.

How do providers verify family/friends’ identities?

HIPAA does not require proof of identity (e.g., no need to verify a caller’s name), but providers may adopt stricter policies (e.g., confirming the patient’s relationship with the requester).

Can family/friends pick up prescriptions or medical supplies?

Yes, without prior authorization, as long as the patient sends them to retrieve items.

What if a patient objects to sharing PHI with family/friends?

Providers must honor objections unless disclosure is required by law or necessary for emergency care.