Sharing Patient Information with Family Over the Phone

When sharing patient information with family over the phone, healthcare providers need to ensure they verify who they are speaking to, that the patient has not objected to their health information being shared, and that any details disclosed to family members comply with the HIPAA Minimum Necessary Standard.

When a patient enters hospital, it is understandable that family members want to enquire about their wellbeing. One of the most common ways in which people enquire about a hospitalized family member is via the phone. However, hospitals´ rules about sharing patient information with family over the phone can vary considerably – with some hospitals refusing to disclose any information unless the patient has given their prior consent, while others may disclose more than they should.

The reason for hospital rules varying so much is the HIPAA Privacy Rule. One of the objectives of the Privacy Rule is to protect the privacy of patient health information. However, the “Standards for the Privacy of Individually Identifiable Health Information” are designed to accommodate many different types of HIPAA Covered Entities (large healthcare organizations, rural medical practices, pharmacies, etc.) and are often applied in different ways – even by Covered Entities of the same type.

Consequently, it is possible for two identical hospitals to have completely different rules about sharing patient information with family over the phone. Furthermore, within these rules, patients have the right to choose whether or not they want their information shared (generally or in a hospital directory), what information they want shared (general or specific medical condition), and who the information can be shared – or not shared – with (i.e., spouses and children only).

What Information Can Hospitals Give Over the Phone?

According to § 164.510 of the HIPAA Privacy Rule, hospitals can maintain a directory of patients in their facility which record the patient´s name, their location in the facility, their religious affiliation, and their condition described in general terms. Patients should be told the information is being included in the directory and given the opportunity to object. However, specific patient consent is not required to release this information to family or members of the clergy over the phone.

There is a clause in § 164.510 that allows hospitals to disclose to a family member “protected health information directly relevant to such person’s involvement with the individual’s health care”. This clause is intended to provide information to family members that will be looking after the patient on their discharge from hospital and it is assumed (as the family member will be involved in the patient´s post-hospital care) that the patient´s consent to share this information exists.

All other disclosures of protected health information require an authorization from the patient unless it is not possible to obtain an authorization due to incapacity. In this circumstance, a healthcare provider can exercise their professional judgement to determine whether the disclosure of protected health information is in the best interests of the patient. However, information shared with family over the phone should only relate to the patient´s current condition and not past medical history.

Procedures for Sharing Patient Information with Family Over the Phone

One of the reasons for hospitals adopting more stringent HIPAA telephone rules than necessary is to avoid an unauthorized disclosure of protected health information that results in a patient complaint and a possible inspection by the HHS´ Office for Civil Rights. Although it is unlikely that a hospital would be fined for an unintentional HIPAA violation, the indirect costs of complying with a Corrective Action Order that requires HIPAA refresher training could be substantial.

Therefore, procedures should be developed for sharing patient information with family over the phone to verify the identity of the caller and ensure that the patient has not objected to their health information being shared with the caller. Thereafter, even if patient has given their authorization for more than the information recorded in the hospital directory to be shared with the caller, the health information disclosed to family over the phone should be no more than the minimum necessary.


Can nurses give patient information over the phone?

Subject to the conditions mentioned above and internal hospital policies, any member of a Covered Entity´s workforce is allowed to give patient information over the phone. Doctors and nurses directly involved in the patient´s care are naturally the best people with whom to discuss the patient´s wellbeing, but in some hospitals HIPAA communications may be assigned to dedicated office.

Why might two identical hospitals have different HIPAA telephone rules?

HIPAA Covered Entities are required to develop policies and procedures based on an analysis of a risk assessment. As each Covered Entity is unique, it is likely each will identify unique threats to the privacy of patient health information and develop different policies and procedures – including different HIPAA telephone rules – to mitigate the threat of an unauthorized disclosure.

What procedures should be implemented to verify caller identities?

This will vary according to the nature of a hospital´s location, operations, and existing relationships with patients´ families. For example, healthcare professionals in a rural medical practice may already know all the members of a patient´s family by name, whereas in a large city maternity hospital, it may be necessary to implement more stringent procedures for verifying caller identities.

If a hospital discloses patient health information without consent, what happens?

If a hospital discloses patient health information without consent, the patient has the right to complain to the Department of Health and Human Services´ Office for Civil Rights. The complaint can be made via the Office for Civil Rights´ complaints portal or to any state Department of Health and Human Services by phone. It is not necessary to inform the hospital a complaint is being made.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X