How to Handle PHI Disclosures for a Patient's Care or Notification to Family (45 CFR § 164.510(b))
Executive Summary
Section 164.510(b) of the HIPAA Privacy Rule permits healthcare providers to disclose protected health information (PHI) to a patient’s family members, close friends, or others involved in their care, without written authorization, under specific conditions. This includes sharing PHI directly related to the person's involvement in the patient's care or for notifying them of the patient’s location, condition, or death. For small practices, understanding this exception is critical to balancing compassion with compliance. This guide explains when and how disclosures can be made, how to document them, and how to protect patient rights.
Introduction
Family members often want updates about a loved one’s medical condition. But what if a spouse calls asking for test results? Or an adult child requests to speak on behalf of an elderly parent?
HIPAA protects patient privacy
but also allows for reasonable and compassionate disclosures to people involved in the patient’s care. Section 164.510(b) provides that under specific conditions, providers may communicate PHI to family, friends, or caregivers
without violating privacy laws.
For small practices, these disclosures are common, but so are mistakes. This article will guide you through when and how you can share PHI appropriately under the Care and Notification provision
of the HIPAA Privacy Rule.
Understanding the Scope of 164.510(b)
Section 164.510(b) permits a provider to use professional judgment to disclose PHI to:
- Family members, relatives, or close friends involved in the patient’s care
- Any person identified by the patient
- Notify those individuals of the patient’s location, general condition, or death
These disclosures must relate only to the person’s involvement in the patient’s care or payment for care.
HIPAA permits these disclosures with the patient’s agreement, if the patient is present and has the
capacity to object or if the provider uses professional judgment when the patient is incapacitated or unavailable.
When the Patient Is Present and Has Capacity
If the patient is present and capable of making healthcare decisions, you may disclose PHI:
- With the patient’s agreement
- If the patient is given the opportunity to object and does not
- If the provider reasonably infers from the circumstances that the patient does not object
Example: A patient brings her husband to an appointment. The doctor explains her lab results while he is in the room, and the patient does not object. This is considered an acceptable disclosure.
When the Patient Is Not Present or Incapacitated
If the patient is:
- Unconscious
- Mentally impaired
- Otherwise unavailable
...the provider may use professional judgment to determine if the disclosure is in the patient’s best interest.
Permitted disclosures include:
- Sharing treatment updates with a spouse or parent
- Informing a caregiver about medication regimens
- Notifying next of kin of a patient’s location or general condition
In these situations, the provider must limit the disclosure to information relevant to the person’s involvement in the care.
Case Study: Disclosure Without Patient Consent
A small internal medicine clinic treated a middle-aged man with diabetes and hypertension. During a visit, the physician disclosed lab results to the patient’s adult daughter, who had accompanied him to the appointment.
Later,
the patient filed a complaint, stating he had not wanted his daughter informed.
OCR’s investigation found:
- No documentation of the patient agreeing to the disclosure
- No evidence that the patient had been given a chance to object
- The physician had assumed consent based on the daughter’s presence
The clinic was required to:
- Implement new policies for verifying consent during visits
- Train staff on appropriate application of 164.510(b)
- Add EHR flags prompting providers to confirm and record disclosure permissions
Lesson: Even well-meaning disclosures can violate HIPAA if assumptions are made without using professional judgment and documentation.
Special Circumstances: Death, Emergencies, and Notification
After a Patient’s Death
Under 164.510(b)(4), a provider may disclose PHI to family members or others involved in the care prior to death, unless the patient had previously expressed objections.
Example: A nurse may inform a long-time caregiver of a patient’s passing and general cause of death if that person was involved in the patient’s care.
Emergencies and Natural Disasters
PHI may be shared to notify a patient’s family or assist in locating them during:
- Emergencies
- Hospital evacuations
- Mass casualty events
Even without consent, HIPAA permits disclosures that serve the patient’s best interest in urgent situations.
Clergy and Religious Affiliates
Providers may disclose:
- Patient name
- Location in facility
- General condition
- Religious affiliation
...to clergy, unless the patient objects. This allows chaplains to visit patients based on hospital directories or religious listings.
Using Professional Judgment Wisely
HIPAA does not provide a strict checklist for these disclosures, it gives providers discretion.
Your professional judgment should consider:
- The patient’s behavior (e.g., silence, nodding, inviting someone to the visit)
- Verbal or written consent
- Risk of harm or embarrassment
- Cultural and family dynamics
When in doubt, it’s better to ask the patient explicitly and document the decision.
What Can Be Shared? Minimum Necessary Still Applies
Providers must ensure that they disclose only PHI directly relevant to the person’s involvement in the patient’s care.
OK to share:
- Treatment plans
- Medication instructions
- Appointment information
- General condition updates
Not OK to share:
- Psychotherapy notes
- Full medical history
- Genetic or HIV test results (unless specifically relevant)
Documenting Disclosures and Consent
To protect your practice:
- Document the person’s name and relationship to the patient
- Note how and when consent was obtained
- Use EHR templates or alerts for recurring caregivers
- Update permissions during each visit when needed
Sample EHR Note:
“Patient accompanied by spouse (Maria Lopez). Patient confirmed verbally that Maria may be informed about treatment and medications. – Dr. Rivera, 07/28/2025”
Checklist for Small Practices
| Task | Responsible | Frequency |
|---|---|---|
| Train staff on 164.510(b) rules | Privacy Officer | Annual |
| Ask patient who may receive updates | Intake Staff | At registration |
| Document verbal or written consent | Provider | Every visit |
| Use discretion for incapacitated patients | Clinical Staff | Per event |
| Limit disclosures to relevant PHI | All staff | Ongoing |
Frequently Asked Questions
Can I talk to a patient’s spouse over the phone?
Yes, if the patient has given prior consent, is present and agrees, or if you reasonably believe it’s in the patient’s best interest. Always document the conversation and rationale.
Can I notify someone that a patient is in the hospital?
Yes, if the individual is involved in the patient’s care or if it's for notification purposes. Use your judgment and limit information to the general condition and location, unless more detail is appropriate.
What if the patient is a minor?
Different rules apply. Generally, parents or legal guardians may receive PHI unless the minor has legal authority under state law to control their care (e.g., for reproductive health or mental health services).
Authoritative Guidance and Legal References
Final Takeaways
HIPAA recognizes that family and close friends often play a vital role in patient care. Section 164.510(b) gives healthcare providers the flexibility to share PHI when appropriate, as long as:
- The patient agrees or does not object
- The disclosure is relevant to the person’s role in the care
- Professional judgment is used
- Documentation supports the decision
In small practices, these moments are common. With the right awareness, your team can show compassion without compromising compliance.