Information Release to Patient Families and Caregivers: What Does HITECH/HIPAA Actually Say?

One of the most important objectives of the HIPAA Privacy Rule—and the HITECH Act in particular—was to ensure that consumers have easy and affordable access to their own protected health information. The regulations also clarified how and when medical information about a patient could be disclosed to a person’s caregiver, family member, friend, and personal or legal representative.

Profiles in Front of Abstract Data WallYet, confusion and misinformation linger among HIPAA-covered entities that prefer to withhold information from a patient’s friends and representatives just to be on the safe side. After all, while HIPAA has clear guidelines about who can and cannot receive information, it is not a one-size-fits-all regulation since it designates much of the decision making to the covered entity’s “professional judgement.”

In the past, Journal of AHIMA has addressed how consumers can access their own information, as well as access the records of deceased individuals. This article will take a closer look at how exactly HIPAA applies to family, friends, caregivers, and personal representatives.

Defining Caregivers and Personal Representatives

According to the Department of Health and Human Services (HHS), the Privacy Rule does not require a healthcare provider or health plan to share information with your family or friends unless they are your personal representatives. But there are some circumstances in which providers or plans can share your information with family and/or friends. According to the HHS website, these include:

  • They are involved in your healthcare or payment for your healthcare
  • You tell the provider or plan that it can do so
  • You do not object to sharing of the information
  • If, using professional judgment, a provider or plan believes that you do not object

For example, a personal representative can pick up medications at a pharmacy for someone else; a doctor can share medical information with the person who accompanies a patient to an appointment; if the patient is incapacitated and no authorization can be obtained, a provider can share information with a friend or relative, though only if it’s in the patient’s best interest.

Carlyn Choate, RHIA, CHPS, MSHI, a privacy and security compliance analyst for a public government agency and a member of AHIMA’s privacy and security practice council, says a good example of this was when her organization treated a 20-year-old woman whose mother was paying the bill. Choate says the medical team was hesitant to give the mother any information about her daughter’s care. Choate advised that if the patient explicitly said “my mom is making the payment” for this encounter then the provider could give the mother treatment information and answer questions about it without authorization from the daughter. If the mother wanted more information about her daughter’s health, outside of the one encounter she was paying for, the daughter would have to provide written or verbal authorization to the provider, Choate says.

“We have to be careful when we say personal representative. What does that mean? You could have a legal personal representative that follows up with the legal work saying you are the person’s power of attorney (POA), but when you have POA, you have different levels of POA, it can be a mother, it can be a daughter, a family member, a friend who has POA, but depending on the level of POA, it’s going to determine upon what they can and can’t receive. They may have a POA that is just financial, but that doesn’t mean it’s healthcare-related,” Choate says.

If an individual has designated someone as their medical POA, providers should keep that documentation on file. But when in doubt, a provider should always ask the patient who it is OK to share information with, and keep their response on file.

Another example of verbal authorization can occur when a doctor’s office follows up with a patient over the phone to schedule an appointment or give test results. If the patient says “In the future, you can give any messages to my husband,” the provider can consider the husband to be a personal representative.

The US Department of Health and Human Services has recognized the challenges providers and consumers face when requesting information and released a suite of consumer-facing and industry-centric tools to help clarify the rules. HHS’s Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR) created a series of informational videos aimed at patients who are seeking their information. It also published a “Patient Engagement Playbook,” which includes information for designating proxy access for electronic health record (EHR) patient portals, as well as clarifications about who, aside from the patient, can receive information about the patient’s care.
Handling Health Information When a Patient’s Incapacitated

HIPAA falls into grayer area when a patient is incapacitated and cannot give a provider verbal authorization to disclose information to friends or relatives or others who may be involved with a patient’s care. Unless a patient has a designated healthcare POA, the provider must use his or her professional judgement.

“When patient is not present or incapacitated, we can share an individual’s information with friend or family or others involved in their care or payment for care as long as the provider determines, based on professional judgement, on doing so that’s in the best interest of the individual. When there’s someone other than a family or a friend involved, [the provider should] make reasonable determination that the individual is actually involved in his or her payment for care or care,” Choate says.

For example, if a doctor has treated a patient for dementia and has met their primary caregiver in the office or inpatient settings, the doctor may decide to share information with that same caregiver when the patient is incapacitated.

Choate cited a case in which a patient in a physician’s waiting room passed out, which caused the office’s nursing staff to call 911 for an EMS team. After the patient recovered from her illness, she filed a lawsuit against the doctor’s office and EMS staff for discussing her PHI in front of strangers while responding to her emergency. In this case HIPAA protects the nursing staff’s professional judgement to call EMS since it was in the best interest of the patient.

“HIPAA doesn’t want to prohibit that person’s ability to receive care,” Choate says. “It’s not meant to be so restrictive that that person shouldn’t be able to receive care just because they don’t have the ability to communicate.”

Mary Butler is the associate editor at The Journal of AHIMA.


  1. I believe my POA brother in Stockton should put in writing for my Careprovider sister in Redding.. to handle my Father’s Medical Affairs when needed. He says he can call the hospital? ,I told him his Medical Release in writing is needed. He diws not believe me. Can you email me this requirement for my 92 year old father’s care now out of his home? thank you. Jeanette My brother s name is Danny…They won’ t know who is calling on a phone.

    Post a Reply
  2. In a healthcare facility can a POA be given written information pertaining to his/her family member without violating HIPPA?

    Post a Reply

    Post a Reply
  4. can a ROI be signed by a patients relative and records given to that person if a patient gave verbal consent

    Post a Reply
  5. I am very confused. My Mom was brought into the hospital 2 different times by my sister. 1st time, very bad pains in her stomach. Tests were done, come to find out she had a Gallstone, according to my Mom. She was put on medication to dissolve it. When I talked to a couple weeks after that, she had commented that she was feeling better and that the gallstone was gone. Then she was back at the hospital for pains in her legs. They wanted to run a bunch of tests again, a lot of the same ones she had done on the first visit. My sister refused to have the tests done. When I found this out, again from my Mom, I was very upset,not knowing what could be going on with her since the 1 st visit. Also another concern is my Mom was not taking her medication properly. There was this 1 pill she was to be taking on an empty stomach, 1 hour before eating, she was taking it with her breakfast. This also upset me. I have a few facts, I guess might be helpful: I have had a falling out with my sister, as she is the “caregiver” for my Mom and I don’t feel my Mom is being taken care of properly. My Mom is 98 yrs. old. As I can see a drastic change in her. She has been isolated, due to my sister actions. I am just wondering if there is any way for me to get medical records of my Mom, as supposedly my sister is “in charge” of her matters. Oh now my Mom is saying that she still has the stomach pains and the Gallstone is not gone.

    Post a Reply
  6. I call in all of my husbands prescriptions. I don’t even think he knows everything he takes…
    He has Wegners Disease. I also pick them all up from the pharmacy. I get results from tests, etc…
    I’ve been doing this for 7 months. I called CVS yesterday to see what prescriptions he has ready and they would not release the names of them to me without a power of attorney??? Is this right? Only reason I wanted to know which ones were ready is because they sometimes do automatic refills on things he is no longer taking and I end up purchasing them without realizing this.

    Post a Reply
  7. Does a medical provider, in this case a hospital, have right to denie electronic communications between a hospital and nursing home. Nursing home claims they never got a prescription faxed to them from hospital. When patient requested all comunications between hospital and nursing home, hospital informed patient that communications were not part of patients hippa records

    Post a Reply
  8. I had to make my my daughter my power of attorney how can I stop this

    Post a Reply
  9. For verbal ROI over the phone, what is the standard for verification? I.e. if a patient calls and gives 3 different identifiers and requests that previous records be sent to a new office and it is documented in their chart and the call is recorded, can a provider in good faith adhere to the request and send the information to the new provider?

    Post a Reply
  10. Can employees from another facility come in and talk to resident without the POA present?

    They had no identification or business cards

    Post a Reply
  11. I am a 53 year old. My father has walked into my doctor’s office in FL and claims that he has POA over me. I did sign a letter while I was in Boston, which his lawyer friend said was about something else. How can I stop him from getting info from my doctors?

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!