Business Insurance
Menu
View all articles

Disclosing PHI to Family Members Under HIPAA

Question: When can a health plan disclose an individual’s PHI to a close family member?

Short Answer: The plan can disclose PHI to a close family member only under certain conditions that depend on the individual’s capacity to make health care decisions.

General Rule: Only Three Permitted Uses of PHI Without Individual HIPAA Authorization

HIPAA permits covered entities to use or disclose PHI for three different reasons:

  • Treatment
  • Payment
  • Health Care Operations

The general rule is that any use or disclosure of PHI by a covered entity or business associate for another purpose requires the individual’s valid HIPAA authorization.

Exception: Disclosing PHI to Close Family Members

There are certain limited, specified situations where a covered entity (e.g., the health plan) may disclose PHI to a family member or close personal friend for care or payment of care purposes.

In general, this form of disclosure requires that the disclosure be of PHI that is directly relevant to the family member’s or close personal friend’s involvement with the individual’s care or payment for care.  Depending on whether the individual has the capacity to make health care decisions, it may also require that the individual first has the opportunity to agree to, prohibit, or restrict the disclosure.

  • Individual has the capacity to make health care decisions:

In this case, the covered entity may disclose PHI to the close family member or personal friend if it:

  1. Obtains the individual’s agreement (written or oral);
  2. Provides the individual with the opportunity to object to the disclosure (and the individual does not object);
  3. Reasonably infers from the circumstances, based on professional judgment, that the individual does not object to the disclosure.
  • Individual is not present, or the opportunity to agree or object to the use or disclosure cannot practically be provided because of the individual’s incapacity or an emergency circumstance:

In this case, providing the individual with the opportunity to object to the disclosure is not possible under the circumstances.  Therefore, the covered entity may, in the exercise of professional judgment, determine wither the disclosure is in the best interest of the individual.  If so, the covered entity may disclose only the PHI that is directly relevant to the family member’s or close family friend’s involvement with the individual’s care or payment related to such care.

For full details on HIPAA, see our ABD Office Hours Webinar: HIPAA Training for Employers.

Regulations

45 CFR §164.510(b):

(b) Standard: uses and disclosures for involvement in the individual’s care and notification purposes.

(1)  Permitted uses and disclosures.

(i)   A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

(ii)   A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable.

(2)  Uses and disclosures with the individual present.

If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it:

(i)   Obtains the individual’s agreement;

(ii)   Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or

(iii)   Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure.

(3)  Limited uses and disclosures when the individual is not present.

If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.

https://www.hhs.gov/hipaa/for-professionals/faq/1067/may-a-health-plan-disclose-information-to-a-person-who-calls/index.html

May a health plan disclose protected health information to a person who calls the plan on the beneficiary’s behalf?

Answer:

Yes, subject to the conditions set forth in 45 CFR 164.510(b) of the HIPAA Privacy Rule. The Privacy Rule at 45 CFR 164.510(b) permits a health plan (or other covered entity) to disclose to a family member, relative, or close personal friend of the individual, the protected health information (PHI) directly relevant to that person’s involvement with the individual’s care or payment for care. A covered entity also may make these disclosures to persons who are not family members, relatives, or close personal friends of the individual, provided the covered entity has reasonable assurance that the person has been identified by the individual as being involved in his or her care or payment. A covered entity only may disclose the relevant PHI to these persons if the individual does not object or the covered entity can reasonably infer from the circumstances that the individual does not object to the disclosure; however, when the individual is not present or is incapacitated, the covered entity can make the disclosure if, in the exercise of professional judgment, it believes the disclosure is in the best interests of the individual.

For example:

  • A health plan may disclose relevant PHI to a beneficiary’s daughter who has called to assist her hospitalized, elderly mother in resolving a claims or other payment issue.
  • A health plan may disclose relevant PHI to a human resources representative who has called the plan with the beneficiary also on the line, or who could turn the phone over to the beneficiary, who could then confirm for the plan that the representative calling is assisting the beneficiary.
  • A health plan may disclose relevant PHI to a Congressional office or staffer that has faxed to the plan a letter or e-mail it received from the beneficiary requesting intervention with respect to a health care claim, which assures the plan that the beneficiary has requested the Congressional office’s assistance.
  • A Medicare Part D plan may disclose relevant PHI to a staff person with the Centers for Medicare and Medicaid Services (CMS) who contacts the plan to assist an individual regarding the Part D benefit, if the information offered by the CMS staff person about the individual and the individual’s concerns is sufficient to reasonably satisfy the plan that the individual has requested the CMS staff person’s assistance.

ABD Office Hours Webinar: HIPAA Training for Employers

 

 


Brian Gilmore

About the author

Brian Gilmore

Brian Gilmore is the Lead Benefits Counsel at Newfront. He assists clients on a wide variety of employee benefits compliance issues. The primary areas of his practice include ERISA, ACA, COBRA, HIPAA, Section 125 Cafeteria Plans, and 401(k) plans. Brian also presents regularly at trade events and in webinars on current hot topics in employee benefits law. Connect with Brian on LinkedIn.


The information provided is of a general nature and an educational resource. It is not intended to provide advice or address the situation of any particular individual or entity. Any recipient shall be responsible for the use to which it puts this document. Newfront shall have no liability for the information provided. While care has been taken to produce this document, Newfront does not warrant, represent or guarantee the completeness, accuracy, adequacy, or fitness with respect to the information contained in this document. The information provided does not reflect new circumstances, or additional regulatory and legal changes. The issues addressed may have legal, financial, and health implications, and we recommend you speak to your legal, financial, and health advisors before acting on any of the information provided.

Share this article

Keep up to date with Newfront News and Events—

Recommended reading

Year End Compliance Review:  What Are You Missing?

December 1st 2022

View all articles