A Guide to PHI Use and Disclosure for Your Practice's Facility Directory (45 CFR § 164.510(a))
Executive Summary
Facility directories serve a crucial role in helping family members and the public locate patients admitted to a healthcare setting. But under HIPAA, listing a patient’s information in a directory is not automatic. Section 164.510(a) permits covered entities to include certain PHI like name, location, and condition in a directory, but only under specific conditions. This guide explains how small practices, clinics, and care facilities can use and disclose PHI for their facility directories in a compliant manner, including patient opt-outs, permissible disclosures, and real-world documentation requirements.
Introduction
Imagine a family member calls your clinic or facility, asking if their loved one is admitted. If your staff shares that information without the patient’s permission or, worse, includes it in a public-facing directory, it may violate HIPAA.
Under Section 164.510(a) of the HIPAA Privacy Rule, covered entities may use or disclose certain patient information for facility directories. But this use is conditional: it must be limited, it must be optional for
the patient, and certain safeguards must be in place.
For small and mid-sized healthcare providers, the facility directory rule often flies under the radar. However, failure to understand and apply its limits can lead to unintentional privacy violations.
This guide outlines what information may be shared in a directory, when patient authorization is required, and how to manage disclosures properly.
What Is a Facility Directory?
A facility directory is a listing maintained by a healthcare provider that identifies patients who are admitted or receiving care, typically within an inpatient or clinical setting. It may be used to:
- Inform family and friends of a patient’s presence
- Allow clergy or religious representatives to visit patients
- Help staff direct visitors to appropriate rooms
Directories may exist as:
- A receptionist’s log
- A database on a digital kiosk
- An internal patient listing accessible by phone
The key issue is that even minimal patient information in a directory is considered PHI and must be handled in compliance with HIPAA.
What Information Can Be Included?
Under § 164.510(a), a facility may include the following elements in its directory:
- Patient's name
- Location in the facility (e.g., room number)
- General condition (e.g., “good,” “fair,” “critical”)
- Religious affiliation (only shared with clergy)
These disclosures can be made to persons who ask for the individual by name, and in the case of religious affiliation, to members of the clergy even without the individual’s name.
Patient Rights and Consent Requirements
A practice may include a patient’s information in a directory only if:
- The patient is informed in advance of the potential use/disclosure
- The patient has an opportunity to agree or object
- The patient’s preferences are documented and respected
If a patient objects verbally or in writing, the provider must not include their information.
If the patient is incapacitated or unavailable, the provider may include the information if it is in the individual’s best interest, but must honor the objection as soon as feasible once the individual can express
preferences.
Common Use Cases for Small Facilities
| Scenario | Permitted? | Requirements |
|---|---|---|
| Patient verbally agrees to be listed in directory | Yes | Must document opportunity to agree/object |
| Family member asks for a patient by name | Yes | Only if patient is in the directory |
| Clergy asks for a list of Catholic patients | Yes | Religious affiliation may be disclosed if patient hasn’t objected |
| Patient requests not to be listed | No | Must fully exclude them from directory |
| Patient is unconscious; provider lists them in directory temporarily | Yes | Only if in patient’s best interest; remove if they later object |
Case Study: Directory Disclosure Without Consent
A small rehab clinic maintained a front-desk directory listing the names and room numbers of all patients receiving physical therapy. A local journalist visited the clinic and obtained a copy of the list, which included a local public figure.
The journalist published the admission, leading to public embarrassment and a formal HIPAA complaint. OCR’s investigation found that:
- Patients had not been informed of the directory
- No opportunity was provided to object
- The directory was viewable to anyone in the waiting area
As a result, the clinic entered a resolution agreement that included:
- Staff training on patient consent
- Elimination of public directory displays
- A formal policy for managing patient listings
Lesson: Even low-tech, informal directories can violate HIPAA if patients don’t opt in.
Best Practices for Directory Compliance
1. Create a Written Directory Policy
Document:
- What PHI is included (name, room, condition, affiliation)
- When and how patients are informed
- How objections are documented and honored
- How disclosures are restricted to those who ask for the patient by name
2. Offer the Right to Object Upon Intake
During patient registration:
- Inform the patient of your directory use
- Offer a clear opportunity to agree or decline
- Record their decision in their medical record
Verbal consent is acceptable but must be noted in writing.
3. Train Front Desk and Phone Staff
All staff handling visitor or phone inquiries should be trained to:
- Only disclose directory information if the patient is listed
- Require the caller to ask for the patient by name
- Refer clergy requests to designated personnel
- Handle objections or updates respectfully and confidentially
4. Avoid Public Displays of PHI
Do not post room assignments, treatment schedules, or patient logs in public spaces. Use secure logins or access-controlled internal systems.
5. Establish Religious Disclosure Controls
Only disclose religious affiliation:
- If the patient has not objected
- To clergy members who identify their role
- Through secure means (not via public lists or postings)
HIPAA Compliance Checklist for Facility Directories
| Task | Responsible | Frequency |
|---|---|---|
| Create and review directory use policy | Privacy Officer | Annual |
| Inform patients of directory and right to object | Intake Nurse | Each Admission |
| Document consent or objection in patient record | Admissions | Each Patient |
| Train staff on handling inquiries and disclosures | Office Manager | Bi-Annual |
| Prevent public posting of directory info | All Staff | Ongoing |
HIPAA-Compliant Directory Disclosure Script (For Phone Calls)
Caller: “Hi, I’m trying to find out if Maria Gonzalez is currently admitted at your clinic.”
Staff:
- If Maria agreed to be listed:
“Yes, she is here and currently in Room 204. Her condition is listed as fair.” - If Maria objected or was not asked:
“I’m sorry, I can’t confirm or deny if that person is here.”
Exceptions and Special Considerations
- Emergencies: If the patient is incapacitated, directory inclusion may be allowed temporarily if in their best interest.
- Minors: Follow state-specific parental rights when disclosing directory info about minors.
- Mental Health: State laws may impose stricter requirements, always defer to the more protective rule.
- Substance Use Facilities: 42 CFR Part 2 may prohibit inclusion in a directory altogether.
Regulatory References and Guidance
Final Takeaways and Recommendations
HIPAA does not prohibit facility directories, but it requires that patients be informed and allowed to opt out. If your practice maintains any kind of directory for patient names, locations, or religious affiliations, make sure:
- You notify patients and document their preferences
- You do not list any individual who objects
- Staff are trained to handle disclosures properly
- No directory information is accessible publicly without control
- Clergy access is limited to compliant use cases
By establishing a structured, compliant directory process, your practice can maintain compassionate care coordination without compromising patient privacy.