News & Insights

Disclosure of Patients’ PHI to Family, Friends and the Media

October 11, 2017

Disclosure of Patients’ PHI to Family, Friends and the Media

In the wake of the Las Vegas mass shooting, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has clarified that the HIPAA Privacy Rule allows patient information to be shared for the following purposes and under the following conditions:

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification  

A HIPAA covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.  See 45 CFR 164.510(b).

  • The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest. 
  • For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.
  • In addition, a covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Individuals, family members and friends may find more guidance on this topic here.

Health care professionals may find OCR’s FAQs on Disclosures to Friends and Family Members here.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification 

Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a). In general, except in the limited circumstances described elsewhere in this bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient). See 45 CFR 164.508 for the requirements for a HIPAA authorization. OCR offers an FAQ on disclosures to the media that offers additional information.

Minimum Necessary

For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose. Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).

OCR offers a number of FAQs on this topic here

For more detailed information regarding HIPAA privacy and disclosures in emergency situations, click here.

Contact your local LAMMICO Risk Management and Patient Safety representative or dial 504.841.5211 for consultation or additional information.

Recommended Reading For You

Uncapped Claims and the Importance of Higher Limits

Read More

Laws Governing Patient Record Request Fees

Read More

Federal Government Provides Guidance on Mobile Devices and PHI

Read More


Annual Reports:

Receive Regular Updates: