Consent vs. Authorization: What You Can Share and Why
HIPAA allows many routine uses and disclosures of protected health information (PHI) without getting a signed form each time. The key is knowing when consent is implied (or when you can rely on a patient’s informal agreement) versus when you need a written HIPAA authorization.
Core distinction: TPO vs. “other” disclosures
Most day-to-day sharing inside healthcare falls under Treatment, Payment, and Healthcare Operations (TPO). TPO disclosures generally do not require a signed HIPAA authorization.
| Category | What it covers | Is written HIPAA authorization required? | Common examples |
|---|---|---|---|
| Treatment | Providing, coordinating, or managing care and related services | No | Sharing labs with a consulting specialist; sending a discharge summary to the next facility; discussing care plan with the care team |
| Payment | Billing and reimbursement activities | No | Submitting claims; verifying coverage; discussing prior authorization with an insurer |
| Healthcare operations | Running the organization and improving care | No | Quality improvement; credentialing; internal audits; training within the workforce |
| Other disclosures | Not for TPO (often marketing, media, employers, some third parties) | Often yes (or another specific HIPAA permission must apply) | Sending records to an employer; releasing information to the media; using PHI for marketing not otherwise permitted |
Practical takeaway: If the purpose is not clearly TPO, pause and determine whether another HIPAA permission applies or whether you need a signed authorization.
Sharing with Family, Friends, and Caregivers: Informal Permission and “Involvement in Care”
HIPAA permits sharing relevant information with a patient’s family, friends, or caregivers when they are involved in the patient’s care or payment for care, if one of these conditions is met:
- The patient agrees (verbally or in writing).
- The patient is given the opportunity to object and does not object (informal permission).
- The patient is not present or is incapacitated, and you determine, using professional judgment, that sharing is in the patient’s best interest and limited to what is relevant.
This is different from a formal HIPAA authorization. It is often handled through a brief conversation and documentation of the patient’s preference.
- Listen to the audio with the screen off.
- Earn a certificate upon completion.
- Over 5000 courses for you to explore!
Download the app
Step-by-step: How to handle a request from a spouse, adult child, or caregiver
- Identify the requester: Ask for name and relationship (and, when appropriate, verify identity per your facility’s process).
- Clarify the purpose: Are they involved in care or payment? What specifically are they asking?
- Check the chart for documented preferences: Look for a “permission to discuss,” communications note, visitor restrictions, or prior statements.
- If the patient is present and has capacity: Ask the patient directly:
“Is it okay if I discuss your discharge plan with your spouse here?” - If the patient is not present or lacks capacity: Use professional judgment to share only what is relevant to their involvement (e.g., medication schedule for the caregiver who will administer meds).
- Document what you did: Who requested, what the patient said (or why you believed disclosure was in best interest), what you disclosed, and any limits.
Compliant vs. non-compliant examples (family/caregiver)
- Non-compliant: A spouse calls the nurses’ station: “When is she being discharged and what meds is she on?” Staff answers with full discharge time, diagnosis, and medication list without checking for patient permission or preferences.
- Compliant: The patient previously stated: “You can update my spouse about my discharge plan, but don’t discuss my diagnosis.” Staff confirms the spouse’s identity, provides a limited update: “Discharge is planned for tomorrow afternoon; we’ll review home instructions with you if the patient agrees at that time,” and avoids diagnosis details.
- Compliant (patient present): At bedside, staff asks the patient if it’s okay to discuss wound care in front of the adult child. Patient agrees; staff proceeds.
- Non-compliant (patient present): Staff discusses sensitive test results at the bedside while multiple visitors are present, without checking whether the patient wants them to hear.
Family Presence During Bedside Discussions
HIPAA does not prohibit bedside discussions, but it does require reasonable safeguards and respect for patient preferences. The practical question is: Does the patient want these people to hear this information right now?
Step-by-step: Bedside rounding or teaching with visitors present
- Scan the environment: Who is in the room? Are curtains drawn? Is the door open?
- Ask a permission question (simple and routine):
“We’re going to review your results and plan. Is it okay to do that with your visitors here?” - Offer options:
“We can ask visitors to step out, or we can discuss general items now and details privately.” - Adjust the level of detail: If the patient hesitates, move to a quieter area or defer sensitive details.
- Document any standing preference: If the patient consistently wants a particular person present (or excluded), record it.
Compliant vs. non-compliant examples (bedside)
- Compliant: Patient’s friend is in the room. Clinician asks permission before discussing imaging results; patient says “not in front of them.” Clinician asks the friend to step out and continues privately.
- Non-compliant: Staff assumes that anyone in the room is approved and discusses the patient’s new diagnosis and prognosis without checking.
Patient Preferences: Visitor Lists, “Do Not Announce,” and Directory Information
Facilities often maintain a directory (e.g., name, location, general condition) to help with visitors and calls. Patients can typically choose whether they are included and what information may be shared.
What staff should do in practice
- Check the patient’s directory status: Included, excluded (“no information”), or limited.
- Use the patient’s chosen name rules: Some patients may request an alias or restrictions on who can receive information.
- Follow visitor restrictions: If a patient restricts certain individuals, do not confirm presence or location.
Compliant vs. non-compliant examples (directory/visitors)
- Non-compliant: A caller asks, “Is John Smith there?” Staff replies, “Yes, he’s in Room 512 recovering from surgery,” when the patient opted out of the directory.
- Compliant: Patient opted out. Staff responds, “I’m sorry, I don’t have any information on a patient by that name,” and follows internal procedures for handling persistent callers.
- Compliant (limited condition): Patient agreed to directory listing. Staff provides only general condition (e.g., “stable”) and location consistent with facility policy.
Special Situations
Minors and parents/guardians
Parents are often the personal representatives for minors, but there are important exceptions depending on state law and the type of care (for example, certain reproductive health services, mental health services, or substance use treatment may have special confidentiality rules). Staff should not guess.
- Operational rule: If a parent requests information and the situation is sensitive or unclear, escalate to your supervisor or privacy office and check applicable state law and facility policy before disclosing.
- Document who has legal authority and any restrictions communicated by the patient or required by law.
Guardianship and personal representatives (adults)
For adults, a person with legal authority (e.g., court-appointed guardian) may act as the patient’s personal representative for HIPAA purposes, but only within the scope of that authority.
- Step-by-step: (1) Request documentation (court order, guardianship papers) per policy, (2) verify scope (medical decisions vs. financial only), (3) document verification, (4) share information consistent with that scope.
Incapacitated patients
If the patient cannot agree or object (e.g., unconscious, delirious), HIPAA allows sharing with family or others involved in care when, in your professional judgment, it is in the patient’s best interest.
- Share what’s relevant to the person’s involvement (e.g., what the caregiver needs to know to provide home care).
- Avoid unnecessary details that are not needed for involvement in care.
- Reconfirm preferences once the patient regains capacity and update documentation.
Emergencies
In emergencies, disclosures may be permitted to coordinate care and notify family, consistent with professional judgment and facility procedures. The practical focus is rapid, relevant communication to support care and safety.
Documenting Patient Permissions in the Chart
Good documentation turns a one-time conversation into a reliable guide for the whole care team. It reduces inconsistent disclosures and helps staff respond appropriately to phone calls and bedside requests.
What to document (minimum useful elements)
- Who: Names (and relationship) of people approved to receive information; note any explicitly excluded individuals.
- What: The scope (e.g., “appointments only,” “discharge planning,” “billing questions,” “no diagnosis details”).
- How: Phone only, in-person only, patient portal messaging, etc., if the patient specifies.
- When: Date/time of the patient’s statement and who recorded it.
- Capacity context: If patient lacked capacity, document the basis for professional judgment and what was shared.
Example chart note templates
Patient permission to discuss PHI: Patient states it is OK to discuss discharge planning and medication instructions with spouse, Alex Rivera. Patient requests no discussion of diagnosis details with any visitors. Documented by: [Name/Role], [Date/Time].Incapacitated patient disclosure (best interest): Patient unable to participate due to altered mental status. Provided daughter, Maya Chen, limited update relevant to care coordination: expected transfer time and need to bring home medication list. No diagnosis details discussed beyond immediate care needs. Documented by: [Name/Role], [Date/Time].Common documentation pitfalls to avoid
- Vague entries like “OK to speak with family” without naming who and what can be shared.
- Not updating after the patient changes their mind or regains capacity.
- Assuming that “next of kin” automatically equals permission for all details.
Quick Decision Guide for Frontline Staff
| Situation | Best action | What you can say |
|---|---|---|
| Spouse asks for discharge time; no documented permission | Check chart; ask patient if present; if not present, use judgment only if spouse is involved in care and disclosure is in best interest | “Let me confirm what we’re allowed to share. If the patient agrees, we can review the discharge plan together.” |
| Visitor in room during rounds | Ask patient if they want visitor present for discussion | “Is it okay to discuss your results with them here?” |
| Patient opted out of directory; caller asks if patient is admitted | Do not confirm presence or location | “I don’t have any information on a patient by that name.” |
| Adult child claims to be caregiver and wants medication list | Verify involvement; check documented permission; if patient incapacitated, share only what’s relevant and document | “Are you the person helping with medications at home? Let me verify what we can share and then we’ll review the instructions.” |
