Q&A: Disclosing PHI to family
Q. The children of an elderly patient at our practice often contact us to request copies of the patient’s records including lab tests and charts. We’ve noted the names of the patient’s children and the patient has verbally confirmed that we may give them access. However, sometimes the children’s spouses or even their own children (the patient’s grandchildren) request information on behalf of the patient’s children. We informed the patient that we cannot share information with these individuals without specific permission. When the patient requested that we also share information with these individuals, several of the patient’s children complained. We would like to help the patient keep her family informed but I’m concerned that we may leave ourselves at risk of a breach with so many other individuals involved and several members of the family unhappy with the situation. Can we ask patients to submit a signed document stating who their personal representative(s) is/are? Can a patient have more than one personal representative?
A. There are two types of disclosures of PHI discussed above, and HIPAA handles these disclosures differently.
The Privacy Rule permits healthcare providers to share limited verbal information with family members and friends involved in the patient’s care. Although consent or written authorization is not required, patients must be given an opportunity to agree or object to the sharing of their PHI. Many physician practices ask patients to complete a form that lists family members or friends with whom information may be shared verbally, listing these individuals by name and their relationship to the patient. The patient may designate as many individuals as he/she chooses, and other family members do not have the right to object to the wishes of a competent patient.
Releasing copies of the patient’s record requires written authorization from the patient. The patient must sign a written HIPAA-compliant authorization form specifying the information that may be provided. If the patient is not competent, authorization must be obtained from the patient’s legal representative (usually someone designated in a durable power of attorney or a medical power of attorney).
Editor’s note: This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Nicole Votta at nvotta@hcpro.com.