Patient’s Guide to HIPAA – Uses and Disclosures: Do I Have a Say in Any Disclosures? (Facility Directories and Caregivers)





You are reading the Patient’s Guide to HIPAA, FAQ 57. 

HIPAA Guide Quick Links:


FAQ 57: Do I Have a Say in Any Disclosures?  (Facility Directories and Caregivers)

Yes, but only in a few circumstances.

First, if you are in a facility (e.g., an inpatient in a hospital), the facility can disclose basic information about your presence, location, and general condition through a facility directory.  One limitation is that the facility can’t reveal information that discloses specific medical information about you (e.g., you are an inpatient on the psychiatric floor or are in a kidney dialysis unit).

The idea behind facility directory disclosures is that if someone comes to visit you or sends flowers, the hospital can say that you are there and, perhaps, where you are. The hospital may disclose your religious affiliation, but only to a member of the clergy.

You have a right to object to facility directory disclosures. The covered entity must offer you an opportunity to object to the inclusion of your information in a facility directory. If because of incapacity or emergency treatment, you weren’t offered the chance to object, the hospital can make still limited disclosures in emergency circumstances. For example, if you are unconscious, the emergency room can tell your spouse where you are. That seems perfectly reasonable.

Second, HIPAA has a complex but flexible set of rules governing disclosures to caregivers. A caregiver can be your next of kin, other family member, or another person involved in your care (e.g., a roommate). The HIPAA rule allows disclosure of information relevant to the caregiver’s involvement in your care. A covered entity can make a disclosure to locate a family member or other caregiver.

If you (the patient) are present at the time of a disclosure to a caregiver, the covered entity can seek your agreement, offer you an opportunity to object, or reasonably infer from the circumstances that you do not object. Essentially, the rule specifically allows the exercise of professional judgment for the types of disclosures that have long been made to caregivers.

If a patient is not present or is incapacitated at the time of disclosure, the covered entity may exercise professional judgment and make disclosures directly relevant to a caregiver’s responsibility, including payment related activities. Thus, the rule allows your spouse to pick up your prescription at the pharmacy without written consent from you or to negotiate with your health plan.

A 2013 change clarifies that a covered entity may disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. This gives health care providers and health plans the discretion to do what they consider to be the right thing for families of patients recently deceased.

Another provision addresses disclosures for disaster relief purposes. An example is disclosure to the Red Cross following a hurricane. The disaster relief provision, for example, allowed appropriate health disclosures during and after Hurricane Katrina.

Family Members and Health Record Disclosures:  Disclosures by health care providers to family members have always been common. Those are some of the disclosures that the rule contemplates. Importantly, the caregiver exception also covers disclosures by insurance plans to family members. That allows a family member to negotiate approval of your treatment or payment of the bill with the insurance company while you are incapacitated.

In general, the caregiver provision seems to have worked well after some initial of confusion. The trick is to strike a reasonable balance between privacy and the normal expectations of patients and families. It is a delicate balance, and we think that HIPAA did well here. Giving considerable discretion to health professionals had a lot to do with the success of this provision.

Third, a covered entity can use or disclose information for its own fundraising purposes. The 2013 changes broadened allowable fundraising disclosures, and this change is worth noting. A covered entity can use or disclose to a business associate or related foundation your name, address, other contact information, age, gender, and date of birth. In addition, it may use or disclose information about dates of care, department of service, treating physician, outcome information, and health insurance status. No other PHI may be used for fund-raising. This expansion means that a hospital can now tell a fundraiser that you were treated by the oncology or psychiatry department. That is a bit much, if you ask us.

You can opt-out of fundraising requests. First, if a covered entity intends to use PHI for fundraising, it must include a statement in its notice of privacy practices. Second, each fundraising communication must include a clear and conspicuous opportunity to opt-out of future fundraising communications, and the opt-out method cannot impose an undue burden or more than a nominal cost.  Making you write a letter to opt-out is not allowed, however. Third, a covered entity may not condition treatment or payment on the individual’s choice about fundraising communications.

Fourth, you have the right to authorize the disclosure of your health records to anyone you like. The HIPAA rule sets standards for authorization forms, and if a form does not meet HIPAA standards, then the form does not constitute patient authorization. We are not going to bore you with the technical requirements for authorization forms. We discuss the strategy for authorizations later. (See FAQs 62, 63, 64.) Anyone who wants you to authorize a disclosure or is a covered entity will know the technical requirements. This isn’t typically a problem that patients have to solve.

Consent or Authorization? The rule uses both consent and authorization as terms that apply when a patient gives approval for the disclosure of a health record. Consent is the term that applies when a patient gives an organization permission to disclosure for treatment, payment, and health care operations. Authorization is the term that applies to all other disclosures approved by a patient. The reason for the difference in terminology is buried in the history of the rule, and it is too boring to explain. Normally, patients will encounter the term authorization.

When might a patient authorize disclosure?  You might authorize disclosure if you are applying for life or disability insurance. You might authorize your doctor to send information to your employer or to a school to explain an absence. You could authorize your doctor to disclose your records to your lawyer, a family member, or a health researcher. You might want records disclosed to support a disability claim made with the Social Security Administration. It is also possible that you might even want to share your records with the police under some circumstances (perhaps to clear you of suspicion). You might want to authorize a provider to give records to the organization maintaining your personal health record (but we think you should think twice before casually establishing a personal health record. For more on PHRs, see the World Privacy Forum report Personal Health Records: Why Many PHRs Threaten Privacy at

For the most part, however, HIPAA has defined the range of non-consensual uses and disclosures to include nearly every possible disclosure that is either necessary or convenient for the health care system to operate or for the government to carry out its many functions. After all, the HIPAA rule was written by the Department of Health and Human Services, one of the biggest users of health records in the country. The first thing that HHS did in writing the rule was to take care of its own interests in obtaining access to records.



Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 57 of 65)

Jump to list of FAQs 1-65 | See all of Part 3