The “Right to Object”: How to Handle Disclosures to Family or Friends When the Patient is Present (45 CFR § 164.510(b)(2))

Under the HIPAA Privacy Rule, covered entities are permitted to share certain aspects of a patient’s Protected Health Information (PHI) with family members or friends involved in their care or payment, provided the patient is present and has the opportunity to object, or not object. This nuanced right, outlined in § 164.510(b)(2), is often misunderstood, especially by small practices. This guide walks through legal requirements, operational steps, and compliance safeguards to help small providers responsibly handle such disclosures while preserving patient trust and regulatory alignment.

Understanding the Legal Framework of the “Right to Object”

What Is § 164.510(b)(2)?

The Privacy Rule under 45 CFR § 164.510(b)(2) allows covered entities to disclose PHI to family members, close friends, or others identified by the patient when the patient is present and:

• Has the capacity to make healthcare decisions; and

• Is given an opportunity to object to such disclosure, and does not express an objection.

If the patient agrees, or does not object after being given a chance, the disclosure is permitted. This provision is designed to support continuity of care, especially in outpatient and small-practice settings.

Key Language from the Regulation

"If the individual is present during the disclosure, or otherwise available prior to the disclosure, and the covered entity obtains the individual’s agreement, provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection... the covered entity may disclose the protected health information." – 45 CFR § 164.510(b)(2)

Scenarios Where the Right to Object Applies

The regulation commonly applies in situations such as:

• A spouse accompanying a patient to an appointment and asking about medication changes

• An adult child assisting an elderly parent during a primary care visit

• A close friend driving the patient home from surgery and requesting discharge instructions

In all these cases, the provider must assess whether:

1. The patient is present

2. The disclosure involves care or payment

3. The patient agrees, is silent, or explicitly objects

Step 1: Determine if the Patient Is Present and Cognitively Capable

If the patient is physically or virtually present (e.g., during a telehealth call), and appears competent to make healthcare decisions, this section applies. If the patient is unconscious or not present, refer to § 164.510(b)(3) instead.

Step 2: Identify the Requesting Party

Verify the identity and role of the family member, friend, or caregiver. Ask open-ended questions like:

• “What is your relationship to the patient?”

• “Are you involved in their healthcare or payment for services?”

Log their name and relationship in the EHR or encounter notes.

Step 3: Give the Patient a Clear Opportunity to Object

Before disclosing any PHI:

• Ask the patient directly: “Do you mind if I share this information with [Name]?”

• Provide the option to say no, either verbally or non-verbally.

• Watch for hesitation, discomfort, or negative body language.

Example language:

“Since [Name] is with you today, is it okay if I discuss your test results while they are in the room?”

Step 4: Proceed Based on the Patient’s Response

Documentation Checklist

Maintaining documentation is key to demonstrating compliance during audits or complaints. Include the following in your EHR:

Train All Frontline Staff

Ensure that all clinicians, nurses, and receptionists understand:

• The difference between verbal agreement and silence

• When disclosure is inappropriate

• How to manage uncomfortable or emotional situations

Include role-playing scenarios during annual HIPAA training sessions.

Standardize Authorization vs. Informal Consent

Do not confuse § 164.510(b)(2) disclosures with formal HIPAA authorizations. Authorization is required for:

• Psychotherapy notes

• Marketing communications

• Non-care-related disclosures

But for informal disclosures (e.g., sharing appointment details with a spouse in the room), this section is sufficient, provided the patient has the chance to object.

Use Technology Cautiously

For telehealth, ensure:

• The patient is visible and audibly present

• Confirm identities of all parties in the virtual room

• Ask for consent in front of all present individuals

Do not assume the patient consents simply because someone else is on the call.

When disclosing Protected Health Information (PHI) in the presence of a patient’s family or friends, small healthcare practices often make avoidable mistakes that can lead to HIPAA violations. One common error is assuming that if someone is physically in the room, the patient has automatically consented to share their information. This assumption ignores the possibility that the patient may feel pressured or unsure how to object. It is essential to always ask for the patient’s explicit permission in front of others, using clear and respectful language.

Another issue is interpreting silence as consent. If a patient hesitates or appears uncomfortable, silence should never be treated as approval. Instead, staff should check in verbally and offer to speak privately. Even though HIPAA allows informal disclosures under §164.510(b)(2), failing to document these interactions can be costly during an audit. Every informal permission or objection should be noted in the patient’s EHR.

Virtual settings add complexity. During telehealth or speakerphone calls, others may be listening without the provider’s knowledge. Always ask who is present and get verbal consent before continuing.

Finally, inadequate staff training can lead to unintentional disclosures. All team members should receive regular training on how to handle consent conversations professionally and compliantly.

A small cardiology practice in the Midwest faced an OCR complaint after a nurse disclosed medication information to a patient’s girlfriend during a follow-up appointment. The patient had brought her to the visit but later filed a complaint, stating he was not given the opportunity to object.

Though the disclosure was minor, OCR determined the practice had no documentation of the patient’s consent or silence. As a result, the practice had to implement a formal corrective action plan, train staff, and revise documentation protocols.

Lessons Learned:

• Even implied disclosures must be clearly documented

• Patients can file complaints even if harm is minimal

• Consent can never be assumed, even in casual care settings

• HHS Guidance on Disclosures to Family and Friends Involved in Care

• HIPAA Journal: When Can You Disclose PHI Without Authorization?

• NPR Article: HIPAA and Talking to Family

The “Right to Object” under § 164.510(b)(2) provides flexibility for small practices to support care coordination without unnecessary paperwork, but only when used properly. Covered entities must create a culture of respect for patient autonomy and a system of clear, consistent documentation.

Next Steps for Your Practice:

1. Update HIPAA Policies to reflect patient presence and objection procedures.

2. Develop a Standard Consent Interaction Script for routine patient visits.

3. Enhance EHR Templates to capture informal consent interactions.

4. Schedule Staff Training with real-world examples on objection handling.

Consider leveraging a HIPAA compliance automation tool to streamline your efforts. Such platforms help you document and manage obligations, conduct regular risk assessments, and remain audit-ready, reducing liabilities while signaling accountability to regulators and patients alike.