FAQ On Access to Patient Information by Friends and Family

July 15, 2003

Answers to Frequently Asked Questions about Access to Patient Information by Family, Friends, and Others 

Make a Difference

Your support helps the ACLU defend privacy rights and a broad range of civil liberties.

Give Now

(under the HIPAA Privacy Rule)

Introduction

Over the past several months, a number of hospitals and medical facilities have refused to release information about patients to their respective relatives and friends, including whether their relative or friend is a patient at the hospital, and which room he or she is in.[i]  These facilities claim that the Privacy Rule[ii] issued under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires such action.  As explained in this document, these claims are misguided.  The HIPAA Privacy Rule does not prevent hospitals from communicating information about patients to their loved ones.  

The first set of questions and answers address circumstances when your family member, friend, or other person is a patient at a medical facility.  They are:

            When my loved one is a patient at a medical facility, ?

  • Can I find out if my loved one is a patient at a particular hospital? 
  • What other kinds of information can a hospital disclose about my loved one? 
  • What kinds of information can I learn from a hospital when my loved one was unconscious when admitted? 

The second series of questions and answers focus on situations when you are a patient at a medical facility.  They are:

            When I am a patient at a medical facility?

  • Does the medical facility have to obtain my express permission before including my information in its directory? 
  • I do not want to share my information with anyone - not even my closest family members.  Can I request to have my information excluded from my hospital's directory? 
  • Can the hospital tell my member of the clergy (e.g. priest, rabbi, etc.) my room number? 
  • I would like to list my name and room number, but not my medical condition and religious affiliation, in my hospital's directory.  Can I limit the type of information included in my directory listing? 
  • Can my family member, friend, or other person pick up my prescriptions for me at the pharmacy?

When My Loved One is a Patient at a Medical Facility ?

Q: Can I find out if my loved one is a patient at a particular hospital?

A: Generally, yes.  Under the HIPAA Privacy Rule, if you ask for a loved one by name, a hospital or medical facility can usually tell you if he or she is a patient at its facility.[iii]  

There are instances, however, when a hospital or medical facility will not be able to tell you if your loved one is a patient at its facility, such as when your loved one instructs the hospital not to disclose any information about him or her, or when the hospital maintains a policy of not revealing any patient information, unless otherwise directed by the patient. (Such a policy is not required under the Privacy Rule, but has been adopted by some hospitals.) 

Q: What other kinds of information can a hospital disclose about my loved one?

A: The Privacy Rule allows hospitals and other medical facilities to continue their traditional practice of compiling patient directories and releasing that information to the public, unless the patient objects.  Specifically, the Privacy Rule permits these organizations to compile and release: (1) patients' names, (2) their locations in their respective facilities (e.g. room number), and (3) statements of patients' conditions in general terms.[iv]   

Furthermore, the HIPAA Privacy Rule allows health care providers to give family members, close personal friends, or any person who the patient identifies, information relevant to that patient's medical care, such as that person's condition after surgery.[v]   

Q: What kinds of information can I learn from a hospital when my loved one was unconscious when admitted? 

A: Under the Privacy Rule, a hospital or other health care provider ""must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes ? when it becomes practicable to do so.""[vi]  However, in emergency circumstances (such as when an unconscious person is admitted), a hospital or other health care provider may use or disclose the patient's directory information if (1) to its knowledge, the use or disclosure is consistent with any preference the patient had expressed in the past, and (2) the hospital or health care provider determines that it is in the patient's best interest to use or disclose his or her information, in the exercise of its professional judgment.[vii]  

 

When I am a patient at a medical facility, ?

Q: Does the medical facility have to obtain my express permission before including my information in its directory?  

A: Generally, no.  Under the HIPAA Privacy Rule, your medical facility can list your information in its directory without your permission, unless you expressly request to be excluded from the directory.  The Privacy Rule states that a hospital can include your information in its directory as long as, in advance, (1) the hospital informs you of the types of personal medical information it may include, and (2) gives you an opportunity to agree, object, or limit the listing to information you designate.[viii]  

Q: I do not want to share my information with anyone - not even my closest family members.  Can I request to have my information excluded from my hospital's directory?  

A: Yes.  As some people prefer to keep their medical conditions private - even from their closest family members - the Privacy Rule requires that hospitals and medical facilities provide patients with an opportunity to object to, or ""opt out"" of, including their information in their respective directories.[ix]  Therefore, if you want to exclude your information from your hospital's directory, you should ""opt out."" 

While not mandated by the HIPAA Privacy Rule, some hospitals do maintain a policy of presuming that patients want to be kept out of their respective directories unless patients ""opt in.""  If your medical facility has such a policy but you want to be included in its directory, you should ""opt in"" by instructing the medical facility to list your information in its directory.    

Q: Can the hospital tell my member of the clergy (e.g. priest, rabbi, etc.) my room number?

A: Yes.  The HIPAA Privacy Rule permits hospitals and medical facilities to disclose certain information about you to members of the clergy, including religious affiliation, room number, and general medical condition.[x]  However, you may request that your medical facility not disclose your information, or to disclose only the information you specify, to members of the clergy.[xi]

Q: I would like to list my name and room number, but not my medical condition and religious affiliation, in my hospital's directory.  Can I limit the type of information included in my directory listing?  

A: Yes.  Hospitals and medical facilities, under the Privacy Rule, must provide patients with an opportunity to ""restrict or prohibit some or all of the uses or disclosures"" of their personal medical information.[xii]  

Q: Can my family member, friend, or other person pick up my prescription for me at the pharmacy? 

A:  Yes.  The Privacy Rule allows a family member or other individual to ""pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information"" on a patient's behalf.[xiii]  Under the Privacy Rule, a pharmacy or other health care provider, in accordance with professional judgment and common practice, may reasonably infer that it is in the patient's best interest to allow someone other than the patient to pick up filled prescriptions. [xiv]



[i] See e.g. Laurie Tarkan, Sorry, That Information Is Off Limits: A Privacy Law's Unintended Results, N.Y. Times, Jun. 3, 2003, at F2.

[ii] Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. §§ 160, 164 (2000) (hereinafter ""Privacy Rule"").

[iii] 45 C.F.R. § 164.510(a)(1)(ii)(B).

[iv] 45 C.F.R. at § 164.510(a)(1)(i) - (ii).

[v] 45 C.F.R. at § 164.510(b)(1)(i).

[vi] 45 C.F.R. at § 164.510(a)(3)(ii) (emphasis added).

[vii] 45 C.F.R. at § 164.510(a)(3)(i).

[viii] 45 C.F.R. at § 164.510(a)(2).

[ix] Id.

[x] 45 C.F.R. at § 164.510(a)(1)(ii)(A).

[xi] 45 C.F.R. at § 164.510(a)(2).

[xii] Id.  

[xiii] 45 C.F.R. at § 164.510(b)(3).

[xiv]Press Release, U.S. Dep't of Health & Human Servs., HHS Issues First Guidance on New Patient Privacy Protections (Jul. 6, 2001), at http://www.hhs.gov/ocr/hipaa/20010706.doc; see also Your Frequently Asked Questions on Privacy: Can a Patient Have a Friend or Family Member Pick Up a Prescription for Her? (U.S. Dep't of Health & Human ServS. Mar. 3, 2003), at http://answers.hhs.gov (last visited Jun. 9, 2003).

Statistics image