Recently, I received a call from a company that arranges specialist appointments for my husband and me with our primary care doctor. When I answered the phone, the caller identified herself and asked to speak to my husband. I said he was not home, but that I was his wife and could help her.
She said no; she had to speak with him directly. I said he is not home, but I would be glad to deliver a message to him. She said that, due to HIPAA, she needed his permission to speak with me. I tried to tell her I was his wife and could share the information. The caller became upset and said, “I can’t talk to you, or I will get in trouble.” Just then, my husband walked in. I explained who was on the phone, but that she could not talk to me unless you gave her permission. I gave him the phone so he could give her permission to speak with me.
Once this was done, the caller provided information about an appointment she was trying to schedule. After she finished, I tried to explain HIPAA to her. We talked for a while, but she did not agree and was getting upset, so we ended the call. As I hung up, I sat there and thought: Do we, as healthcare professionals, take HIPAA too far, and how can we balance the law, so it is inclusive rather than exclusive?
In many cases, HIPAA can become a shield, a script, or a way to shut down communication—even when the law actually allows far more flexibility than staff realize. This isn’t malicious; it’s usually due to fear, a lack of training, or a misunderstanding. But it creates unnecessary friction for families and disrupts care coordination.
HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed in 1996. HIPAA is the main Federal law that protects health information. It is an important law, especially today, given the many ways health information is shared, which can put personal data in the wrong hands. Health care professionals are usually trained in the law as part of their orientation and annually, in accordance with the organization’s policy. But despite training, HIPAA is often not understood, which can cause problems.
So, I did some research and want to break down what I found might help healthcare professionals to better understand HIPAA into two parts:
- What companies should be doing
- What HIPAA actually allows providers to disclose to family members
1) How Companies Should Address Staff Misuse or Misinterpretation of HIPAA
Organizations can fix how HIPAA is misunderstood, but it requires intentional training and culture change. Here are some examples.
- Teach the “spirit” of HIPAA, not just the rules
HIPAA is designed to protect privacy, not to block communication that supports patient care. Staff often default to “I can’t tell you anything” because they fear getting in trouble. Training should emphasize:
- When communication is allowed
- How to verify permission
- How to leave appropriate messages
- How to avoid over-restricting access
When staff understand the purpose of HIPAA, they stop weaponizing it.
- Provide clear scripts for common situations
Most confusion happens in routine interactions — Companies should give staff simple, compliant scripts such as:
- “I have information for your husband. Please have him call me back.”
- “Is he comfortable with you receiving this information?”
- “I can share general information, but not clinical details without his permission.”
Language like this reduces fear and improves communication.
- Reinforce that HIPAA allows professional judgment
HIPAA explicitly allows providers to exercise professional judgment when communicating with family members involved in care. Many staff don’t know this. Training should highlight:
- It’s okay to share relevant information
- It’s okay to confirm appointments
- It’s okay to leave non-clinical messages
- Leadership must model a reasonable, patient-centered interpretation
If supervisors are overly rigid, staff will be too. Leaders need to reinforce:
- “HIPAA is not a barrier to care.”
- “We support communication that helps patients.”
- Address tone and professionalism
Even when HIPAA is applied correctly, the way it’s communicated matters. Staff should be trained to:
- Avoid sounding accusatory
- Avoid shutting down conversation
- Explain the reason behind the policy
- Offer alternatives
2) What HIPAA Actually Allows Providers to Disclose to Family Members
This is the part most people — including staff — misunderstand. HIPAA does allow providers to share information with family members in many situations, including without written authorization.
- If the patient is present and gives verbal permission
Verbal permission is enough.
- If the patient is present and does not object
If the patient is standing there and doesn’t object, staff may share relevant information.
- If the patient is not present but the information is directly related to care
HIPAA allows staff to use professional judgment to share information with family involved in care, such as:
- Appointment details
- Referral status
- Medication pick‑up
- Discharge instructions
- General updates
This is where I think the caller in my example could handled things differently by saying:
“Please have your husband call me about his cardiology referral.” This is absolutely allowed.
- When the patient is incapacitated
If the patient is unconscious, confused, or otherwise unable to consent, HIPAA permits disclosure to family members involved in the patient’s care if it is in the patient’s best interest.
- What cannot be shared without permission
- Detailed clinical findings
- Diagnoses
- Test results
- Treatment plans
- Sensitive information (mental health, substance use, HIV, etc.)
Routine administrative information, however, is generally allowed.
Why This Matters
- To prevent over-application of HIPAA
- Reduce the staff’s fear or misunderstanding
- Poor communication training
- Missed opportunities to include the patient and their family as part of the healthcare team.
It is my hope that organizations revisit their training to ensure staff understand that HIPAA is not intended to prevent families from participating in care. Training can help staff understand that HIPAA is important and can be used to protect information as needed without shutting down communication.
If you want to learn more about HIPAA, here is a good site that explains the law’s intent and what you can share when talking to family members. https://www.healthit.gov/topic/privacy-security-and-hipaa/hipaa-basics
Would love to know your thoughts on this post. Please add a comment and let me know what you think or if you have run into a scenario like I did.
Thanks and have a good week!
Thanks, Anne,
I have run into this problem many times. My husband has aphasia and sleeps in until around 11:00 a.m. Therefore, getting him on the phone has become an impossibility. Even though he has a special telephone that can show in written word the conversation, his dementia has prevented him from being able to understand conversation. So I have had to e-mail my Power of Attorney to some institutions prior to obtaining the needed information. I agree that sometimes a good thing can have unforeseen complications.
What may also happen is that different places interpret HIPAA differently.
When my son was in college (about 10 years ago), he gave written permission for the health center to give me information about his health. He had had some type of event that I called to find out more about, and they refused to tell me anything. They claimed that he had to be present, as in right there in the room, in order for them to share his information.
Despite my pulling the nurse card and saying that is not what HIPAA says. If any student signed any type of consent, then they could talk to a caller/parent. They continued to refuse saying that NY state required this.
So being who I am, I called another NY state college health center to ask if NY state had some special extra rule requiring the student be present. They said they did not. At their facility, the student only needed to sign a release for parents to get info.
Here, two academic health facilities interpreted the law differently, which could have significant consequences, as college students may not take medical advice seriously or fail to follow up.
When making phone calls as an Insurance Case Manager assisting with care and appointments and encountered similar situations we received provided non clinical information when the caller identified as a spouse or direct family memeber recognized by state law for MPOA. As a follow-up I offered sending a medical release consent to have on file so in future calls if more clinical information is requested, staff can provide this. While everyone is trained in HIPPA many do not clearly understand what is allowed with or without MPOA on file.
The information you provided Anne, would go a long way to preventing this scenario if it was incorporated in annual HIPPA training for everyone!
Anne,
I abhor the verbal treatment you received.
If it had been me, I might have told her I had signed a HIPPA form with the referring MD, assuming that was correct, so the caller could at least tell you the crux of information, rather than both of you getting upset.
I am in agreement that too many office staff are not trained well enough and/or do not have the common sense to be polite!
There have been situations when I next see the MD, I let him/her know as they often have no idea what goes on between office staff and patients. They have always expressed appreciation for letting them know.
I learned from a very knowledgeable person, many years ago, to consider PRAISE IN PUBLIC, PUNISH IN PRIVATE. By telling the MD, such activities as you ran into, get resolved VERY QUICKLY.
Hello Anne,
This is excellent information, like always.
Thank you so much