More Real Life HIPAA Questions and Answers

In response to our last blog covering real life HIPAA questions and answers we received many more questions we’d like to cover today. Most of them center around whether and how to talk with family and friends of a patient.

Family and Friends

The guiding rule about sharing protected health information (PHI) is that it’s the patient’s decision. Just because someone is related to the patient, even close family members, does not give them the right to receive PHI about their loved one.

HIPAA after Death

Question: The son of a patient who died last year after a long illness called our office and asked to obtain his father’s medical records. Since our patient, the father, is deceased, isn’t it acceptable to share his health information with his immediate family? The father named his daughter as the person we could speak with while he was alive.

Answer: You may not share information with the son because HIPAA protects the privacy of deceased individuals for a period of fifty years after death. Only the personal representative, or someone named in a valid HIPAA authorization, like the daughter, is entitled to receive protected health information.

Curious Sibling Wants to Help

Question: I called my sister’s doctor to find out when her next appointment is. I think she may be having health problems but hasn’t shared it with me yet. I wasn’t asking for her diagnosis or anything personal, just the appointment date. Why wouldn’t they just tell me the date?

Answer: They did not tell you because the date alone, in connection with your sister’s name, is considered protected health information (PHI), and may not be disclosed to anyone other than the patient themselves or someone named in a valid HIPAA authorization. Your sister may, if she wishes, authorize you to receive information, and if so, she should provide her doctor with an authorization for you.

Behavioral Health Patients and Family Members

Question: We operate an inpatient behavioral health facility treating substance abuse and mental health issues. We received a phone call from someone who identified themselves as a current patient’s parent, wanting to discuss the patient’s diagnosis and treatment. The patient voluntarily sought treatment here, is an adult over the age of 18 and named only their spouse on our intake form as an authorized person to talk with. Their treatment is covered by insurance from the spouse, not the parent. May we talk with the parent?

Answer: No, the Privacy Rule is clear on this issue. You may not disclose PHI to anyone other than the patient’s personal representative, or someone specifically authorized by the patient, like the spouse in this example. If the patient has not specifically authorized their parent to receive information, you should ask the patient if they agree or object before disclosing anything at all. If they agree, the best practice would be to obtain a new written authorization. If obtaining a written authorization is not practical or feasible, document the patient’s agreement (and date) with a note or memo in their file.

Question: I am a therapist treating a 16-year old for anxiety and depression. Her mother has called me and asked about her diagnosis and treatment. May I speak to her?

Answer: The general rule is that a parent is entitled to know their minor child’s protected health information. In fact, under HIPAA, parents are considered to be their children’s personal representative, meaning they can make decisions about their medical care, obtain access to their PHI, and authorize their PHI to be shared with a third party. However, there are important exceptions to this general rule, including certain state laws that provide more health privacy protections to minors than HIPAA does. HIPAA preempts state law, except where the state law is more stringent (provides more privacy protection).

Practical Advice from The HIPAA E-Tool®

HIPAA can be technical with so many regulations and rules protecting patient privacy. It does not have to be difficult though. If you have a HIPAA question about a real life scenario, be careful where you find the answer – ask an expert –  write us at

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2022 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free