I was recently asked about the following situation:

If a patient’s wife, mother, husband, father, or friend calls in to make an appointment on their behalf, what all can I discuss with them? Do I need a patient’s authorization first before I can discuss PHI with his or her relative or friend?

This is a common situation. And my clients want to be sure they are following the law when it comes to HIPAA compliance. So I set about trying to find a definitive answer to this question.

My search led me to the actual statute itself:


Code of Federal Regulations


Title 45 – Public Welfare
Volume: 1
Date: 2003-10-01
Original Date: 2003-10-01
Title: Section 164.510 – Uses and disclosures requiring an opportunity for the individual to agree or to object.
(3) Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.
So according to the statute itself, a covered entity is allowed to speak to a family member or friend on a patient’s behalf and disclose PHI. But only if some qualifications are met:

This brings us to the next question:

If my family or friends call my health care provider to ask about my condition, will they have to give my provider proof of who they are?

I found the answer to this question right on HHS.gov: Click here to view.

The answer is no. Healthcare providers are not required to obtain proof of identity for someone calling on your behalf.

However, the information a healthcare provider hands out should be limited as much as possible. And a healthcare provider should use professional judgement and consider the difference between a routine and non-routine request for PHI.

Finally, here’s one more similar question we get:

May healthcare providers leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? And may providers mail appointment or prescription refill reminders to patients’ homes?

Again, the answer is on HHS.gov: View the website here

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).