What you need to know about sharing PHI with family

Healthcare organizations must ensure HIPAA compliant communication with family members and caregivers to protect patient privacy, avoid unauthorized disclosures, and maintain legal compliance. Organizations must obtain patient consent, limit sharing information to only what is necessary, use secure communication methods like encrypted emails or text messaging, and follow strict documentation and verification procedures. 

The HIPAA Privacy Rule and family communication

The HIPAA Privacy Rule is the foundation for managing patient information and sets clear rules for what can and cannot be shared with family members or caregivers. According to the HHS, "The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object."

Patient authorization and consent requirements

You must obtain patient consent when sharing patient health information with family members. Verbal consent is sometimes enough, but when dealing with more sensitive matters, written authorization is preferred. For example, if an adult patient wants their spouse to have access to test results, written authorization ensures there’s a clear record of this permission.

What should be included in written authorizations?

• State which family members or caregivers can receive information.
• Define the scope of information being shared.
• Include the duration of consent and details on how patients can revoke it if needed.

Patients can also revoke consent at any time, so healthcare providers must have procedures in place to document and respect these requests promptly.

Read more: Patient consent: What you need to know

Permitted disclosures without patient authorization

In some situations, HIPAA allows information to be shared with family members or caregivers without formal patient authorization: 

• Emergencies and incapacitation: If the patient is unconscious or unable to provide consent, healthcare providers can share health information with family members to ensure appropriate care is provided. The provider must use their professional judgment to determine what is in the patient's best interest.
• When the patient is present: If the patient is present during a conversation, implied consent may be assumed, especially when the patient invites the caregiver to participate in discussions. For example, if a patient brings a caregiver to a follow-up appointment, it’s reasonable to discuss care details in their presence.
• Care coordination: When family members or caregivers are actively involved in providing or coordinating care, HIPAA permits providers to share information necessary for effective care. For example, caregivers may need specific details about medication administration or follow-up treatments.

In the news

Martha Smith-Lightfoot's suspension for a HIPAA violation is a significant example of the repercussions that can arise from disregarding patient consent protocols. By taking a list of over 3,000 patients' information without proper authorization, Smith-Lightfoot violated HIPAA regulations and also breached the trust between healthcare providers and patients. 

Notably, the University of Rochester Medical Center (URMC) faced a $15,000 fine for the breach, stressing the importance of consent and staff training. 

The Minimum Necessary Rule

The Minimum Necessary Rule states only the minimum amount of information necessary to accomplish the intended purpose should be disclosed.

For example, if a caregiver is responsible for ensuring that a patient takes their medication correctly, the healthcare provider should only disclose the relevant medication details and dosage instructions, not the patient’s full medical history.

Related: How to determine the minimum necessary information

Handling specially protected information

Certain types of health information are subject to additional protections, and healthcare professionals must be cautious when disclosing information to family members or caregivers:

• Mental health and behavioral health information: These are treated with extra sensitivity under HIPAA. Sharing mental health records with family members generally requires explicit patient authorization unless the patient is a danger to themselves or others, in which case disclosures may be allowed.
• Substance abuse treatment: For patients receiving treatment for substance use disorders, additional privacy rules apply under 42 CFR Part 2. Providers must obtain written patient consent before sharing information, even with family members or caregivers unless there is an immediate threat to health or safety.
• Reproductive health information: In certain cases, such as minors seeking reproductive care, special considerations must be made before sharing this information with family members. You must understand HIPAA and state laws that may affect how and when reproductive health information can be shared.

Electronic communication with family members and caregivers

Healthcare organizations can communicate PHI with family members through HIPAA compliant email or text messaging. Always use encryption and secure messaging services to protect patient information from unauthorized access.

Best practices for secure messaging:

• Verify the identity of the recipient before sending sensitive information.
• Avoid sharing PHI through non-secure platforms.
• Limit the information shared in text messages or emails to the minimum necessary.
• Use encrypted, secure messaging platforms.

Healthcare provider responsibilities and training

To maintain HIPAA compliance in all communications with family members and caregivers, providers must: 

• Ensure staff compliance: Regularly train staff on HIPAA, particularly regarding communications with family members. Staff should be aware of when they can and cannot share information.
• Verify identity: Staff must confirm the identity and authorization of the family member or caregiver before sharing any PHI. 
• Document communication: Document all communications with family members and caregivers, especially when PHI is involved. 

Best practices for ensuring HIPAA compliant family communication

• Train healthcare staff: Provide regular, comprehensive training on the rules surrounding family communication.
• Obtain explicit consent early: Patients should be encouraged to provide written consent for family communication early in their care process. 
• Use secure communication tools: Only use encrypted email, HIPAA compliant text messaging, and communication platforms when sharing information with caregivers. Avoid using regular, non-secure email or SMS for this purpose.

Common misunderstandings about HIPAA and family communication

1. Myth: HIPAA always requires written consent to share information with family members. While written permission is required for certain disclosures, HIPAA allows healthcare providers to share relevant information with family members or caregivers in many situations without it. If the patient is present and does not object, or if they involve a family member in their care discussion, verbal consent or even implied consent is often sufficient. However, for more sensitive disclosures or ongoing access to health records, written authorization is recommended.
2. Myth: In emergencies, providers can share any information with family members. Even in emergencies, HIPAA requires healthcare providers to share only the minimum necessary information to assist in the patient's care. 
3. Myth: If a patient gives verbal permission once, it covers all future disclosures to that family member. Verbal consent for sharing health information is situational. Just because a patient allows a caregiver to hear certain details during one visit does not mean they have authorized full, ongoing access. Reassess consent regularly and obtain explicit permission for future disclosures, particularly if the patient’s condition or preferences change.
4. Myth: HIPAA blocks all communication if a patient refuses consent. While patients generally have the right to restrict information sharing, HIPAA allows disclosures to family members or caregivers in cases where it’s necessary to prevent harm. 
5. Myth: Providers must inform all family members equally. Healthcare professionals are only allowed to share patient information with family members who are directly involved in the patient’s care or have been authorized by the patient. If the patient specifies that only one family member should receive information, strictly follow those instructions and avoid sharing with unauthorized relatives, even if they request it.

FAQs

Should healthcare organizations document verbal consent when sharing with family members?

While not explicitly required by HIPAA, it is best practice to document verbal consent or any conversations where family members are given access to patient information, as this helps prove compliance efforts.

Related: Does HIPAA allow verbal consent?

Can family members access a patient’s complete medical records under HIPAA?

No, family members cannot access a patient’s full medical record unless the patient has provided explicit, written authorization. Otherwise, only relevant information related to their care can be shared.

What if a patient changes their mind about sharing information with family members?

Patients have the right to change their preferences at any time. Healthcare providers should update their records to reflect these changes and ensure future communication aligns with the patient’s current wishes.