HIPAA Privacy Rule: Communicating with Family and Friends

New guidance about communicating with a patient’s family, friends or caretakers was released by the U.S. Department of Health and Human Services, Office of Civil Rights. This is the office entrusted with education about and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. They have created two documents which lay out details about sharing information about a patient, one for providers of care and one for patients or consumers of care.


As I read these two documents, I found myself recalling my internship training in a Community Mental Health Center. We were clearly instructed that we were not even to acknowledge that a person was a client of the Center if someone telephoned about them. Family or friends accompanying them to their visit were not invited into the session unless the patient asked that they be included. Even minor adolescents and children were granted the privacy of the therapy session unless a clear agreement including parents or caretakers was reached. Obviously, the therapeutic relationship in the behavioral health field is a more sensitive matter than in many physical health settings. My experience is that mental health providers have always been more concerned and responsible about securing a patient/client/consumer’s privacy than anyone providing physical health care I have ever met.


In this electronic world in which we live, I have seen some of that care diminished; and we have begun to bump into this matter in technical support at SOS. HIPAA provides that a Covered Entity (a health care provider who electronically transmits certain transactions including electronic claims) must assure the security and privacy of their patient information. It also requires that Covered Entities educate people and organizations who provide services to them about the necessity of protecting the health information of their patients. In fact, it requires that Covered Entities maintain a Business Associate Agreement (BAA) with each person or organization with whom they do business who might in the course of doing business be exposed to the Protected Health Information (PHI) of their clients. If you have any doubt about whether you are, or are not, a Covered Entity, it would seem prudent to assume that you are and to execute a BAA with anyone to whom you reveal PHI.


When implementation of the Privacy Rule was first mandated in April 2003, we were asked to execute BAA’s by a very small proportion of our customers. During the five years since then, we have almost never been asked to sign such a document. Since service to our customers is a big part of who we are, we have made available a BAA that makes it very easy for a Covered Entity to assure that SOS is handling their data in an appropriate fashion if we ever have access to it (http://www.sosoft.com/fod/doc105-sosbaa.pdf ). Even given the ease of accomplishing this agreement, we still have difficulty getting provider organizations to do so.


What is your take on the HIPAA Privacy Rule and how it is implemented in your organization? Were you on top of this in 2003 and 2004 but not as likely to educate staff and your computer and software vendors in 2008? Do you see a difference between how psychology, psychiatry and other behavioral health organizations handle the Privacy Rule and how physical health providers do so? Has the rule kept you from filing your claims electronically so you would not become a Covered Entity?


0 thoughts on “HIPAA Privacy Rule: Communicating with Family and Friends

  • Kathy,
    I have heard that in January 2010 Powers of Attorney dated 2004 or prior for either financial or medical decisions will be effectively invalid.
    My understanding is that there is law going into affect next year that makes these older POAs inconsistent with HIPAA regulations and will likely cause problems if not re-written/updated.
    I work for a system of nursing homes in Colorado and if this change is coming, it will represent both a logistical and financial hardship for the residents it affects.
    Can you direct me to articles that describe the potential changes?

    • Pamela,
      Thanks for your comment. I have not heard about this at all, but since I hold a POA for my mother, I will look into this. The most effective way I have found to get information on these issues is Google search. I will search HIPAA, HITECH and power of attorney and see what comes up. If you get to do this before I do, please share what you find.

  • Dear Kathy,I am the aunt-in-law of a 53-year-old woman with a sad history of schizophrenia. Because she, at age 16, had successfully committed her schizophrenic mother to a mental institution, my niece never would intrust any immediate family member with a health power of attorney. The result…several SERIOUS lapses requiring deeper psychiatric treatment than the standard 6 weeks max allowed by most insurance carriers. Examples: drinking scalding water to rid herself of a sore throat; taking her 6-year-old daughter fi a 2-day wander, covering her with mud to protect from mosquitos; and a suspected abdominal de-gutting to get rid of ulcer pain. During her inadequate treatment for these and other problems, her family was completely out of the information and treatment loop. Now she has died from complications of her degutting. Noone was allowed to know where she wash: a homeless shelter, a nursing home which didn’t know she needed TPN feedings daily, nor the hospital that housed her until someone called her eldest daughter to give permission to remove her from life support. This is NOT right. My niece was incapable of making decisions crucial to her well-being. Please inform me if there is someone I can work with to insure that families have access to the information they need to help their mentally ill relatives get treatment and care they desparately need.

    • Hi Trish, I am sorry to hear of your loss. One of the biggest challenges in healthcare….and mental health care in particular…is the balance between the right to privacy of the consumer of care and their need for care. I do not believe there are any simple answers. Once there is a national health information network in which our medical histories care resides, the kind of omissions that resulted in your niece’s death may be diminished, but not if the consumer does not grant permission for care providers to access their records. I would suspect that your local National Association for the Mentally Ill (NAMI) chapter can direct you on how you can become involved to help keep such terrible errors from occurring in the future for other folks. Thanks for sharing your experience with the rest of us.

  • Hi 🙂

    We consistently use our BAA (that was created way back in 2003.) With the new 02/2009 rules (that go into effect 02/2010) I’m wondering if we need to re-write our BAA to reflect the changes… I’ve searched the internet (including the links listed above + hipaa.com) however the only examples/discussions I see are pre-02/2009.

    Any advice?

    Thanks in advance, Deanna 🙂

    • Deanna,

      I would hold off on making any changes but monitor the recommendations of hipaa.com and others. When new law passes, it always takes time for everyone to digest those changes and determine if it is necessary to change practices. I’ll keep my eyes and ears open too.


  • Sometimes links get changed over time, especially once final regulations are published in the Federal Register. You can find all the information about HIPAA privacy at the following web site: http://www.hhs.gov/ocr/privacy/index.html

    It is also listed in the Useful Connections box above as the Office for Civil Rights – HIPAA. Thanks for pointing out the broken link, Jeni.

  • I don’t know if this is a HIPAA violation, Ann, but if you are doing patient documentation your login needs to be associated with services you provide and documentation you create for record keeping purposes. Your licensure and certification bodies probably require that. I would suggest that you speak with your supervisor about these issues. You can also use the Office of Civil Rights web site to ask questions about HIPAA…probably anonymously. That is definitely a better place to get answers to a question like this than here. Try the link on the left side of our blog or go to http://www.hhs.gov/ocr/hipaa/.

  • Hello! As part of cost-saving measures of our SNF, I have been instructed to borrow log-in names and password with my other co-worker. You see if I have access to all program in our PC, it costs the company about 28$ more a month! Aside from being so inconvenient to me, I always thought this was a HIPAA violation, as I do some patient documentation in these programs. Please respond and HELP!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.