Share This Article:
The Case Manager
Recently, I received a call from a company that arranges specialist appointments for my husband and me with our primary care doctor. When I answered the phone, the caller identified herself and asked to speak to my husband. I said he was not home, but that I was his wife and could help her.
She said no; she had to speak with him directly. I said he is not home, but I would be glad to deliver a message to him. She said that, due to HIPAA, she needed his permission to speak with me. I tried to tell her I was his wife and could share the information. The caller became upset and said, "I can’t talk to you, or I will get in trouble." Just then, my husband walked in. I explained who was on the phone, but that she could not talk to me unless you gave her permission. I gave him the phone so he could give her permission to speak with me.
Once this was done, the caller provided information about an appointment she was trying to schedule. After she finished, I tried to explain HIPAA to her. We talked for a while, but she did not agree and was getting upset, so we ended the call. As I hung up, I sat there and thought … Do we as healthcare professionals take HIPAA too far?
In many cases, HIPAA can become a shield, a script, or a way to shut down communication—even when the law actually allows far more flexibility than staff realize. This isn’t malicious; it’s usually due to fear, a lack of training, or a misunderstanding. But it creates unnecessary friction for families and disrupts care coordination.
HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed in 1996. HIPAA is the main Federal law that protects health information. It is an important law, especially today, given the many ways health information is shared, which can put personal data in the wrong hands. Health care professionals are usually trained in the law as part of their orientation and annually, in accordance with the organization's policy. But despite training, HIPAA is often not understood, which can cause problems.
So, I did some research and want to break down what I found might help healthcare professionals to better understand HIPAA into two parts:
- What companies should be doing
- What HIPAA actually allows providers to disclose to family members
1) How Companies Should Address Staff Misuse or Misinterpretation of HIPAA
Organizations can fix how HIPAA is misunderstood, but it requires intentional training and culture change. Here are some examples.
A. Teach the “spirit” of HIPAA, not just the rules
HIPAA is designed to protect privacy, not to block communication that supports patient care. Staff often default to “I can’t tell you anything” because they fear getting in trouble. Training should emphasize:
- When communication is allowed
- How to verify permission
- How to leave appropriate messages
- How to avoid over-restricting access
When staff understand the purpose of HIPAA, they stop weaponizing it.
B. Provide clear scripts for common situations
Most confusion happens in routine interactions — Companies should give staff simple, compliant scripts such as:
- “I have information for your husband. Please have him call me back.”
- “Is he comfortable with you receiving this information?”
- “I can share general information, but not clinical details without his permission.”
Language like this reduces fear and improves communication.
C. Reinforce that HIPAA allows professional judgment
HIPAA explicitly allows providers to exercise professional judgment when communicating with family members involved in care. Many staff don’t know this. Training should highlight:
- It’s okay to share relevant information
- It’s okay to confirm appointments
- It’s okay to leave non-clinical messages
D. Leadership must model a reasonable, patient-centered interpretation
If supervisors are overly rigid, staff will be too. Leaders need to reinforce:
- “HIPAA is not a barrier to care.”
- “We support communication that helps patients.”
E. Address tone and professionalism
Even when HIPAA is applied correctly, the way it’s communicated matters. Staff should be trained to:
- Avoid sounding accusatory
- Avoid shutting down conversation
- Explain the reason behind the policy
- Offer alternatives
2) What HIPAA Actually Allows Providers to Disclose to Family Members
This is the part most people — including staff — misunderstand. HIPAA does allow providers to share information with family members in many situations, including without written authorization.
A. If the patient is present and gives verbal permission
Verbal permission is enough.
B. If the patient is present and does not object
If the patient is standing there and doesn’t object, staff may share relevant information.
C. If the patient is not present but the information is directly related to care
HIPAA allows staff to use professional judgment to share information with family involved in care, such as:
- Appointment details
- Referral status
- Medication pick-up
- Discharge instructions
- General updates
This is where I think the caller in my example could handled things differently by saying:
“Please have your husband call me about his cardiology referral.” This is absolutely allowed.
D. If the patient is incapacitated
If the patient is unconscious, confused, or otherwise unable to consent, HIPAA permits disclosure to family members involved in the patient's care if it is in the patient’s best interest.
E. What cannot be shared without permission
- Detailed clinical findings
- Diagnoses
- Test results
- Treatment plans
- Sensitive information (mental health, substance use, HIV, etc.)
Routine administrative information, however, is generally allowed.
Why This Matters
- To prevent over-application of HIPAA
- Reduce the staff's fear or misunderstanding
- Poor communication training
- Missed opportunities to include the patient and their family as part of the healthcare team.
It is my hope that organizations revisit their training to ensure staff understand that HIPAA is not intended to prevent families from participating in care. Training can help staff understand that HIPAA is important and can be used to protect information as needed without shutting down communication.
If you want to learn more about HIPAA, here is a good site that explains the law's intent and what you can share when talking to family members. https://www.healthit.gov/topic/privacy-security-and-hipaa/hipaa-basics
Have a good week!
AI california case file caselaw case management case management focus claims compensability compliance compliance corner courts covid do you know the rule employers exclusive remedy florida glossary check Healthcare hr homeroom insurance insurers iowa kentucky leadership NCCI new jersey new york ohio pennsylvania roadmap Safety safety at work state info tech technology violence WDYT west virginia what do you think women's history women's history month workers' comp 101 workers' recovery Workplace Safety Workplace Violence
Read Also
About The Author
About The Author
-
Anne Llewellyn
Anne Llewellyn is a registered nurse with over forty years of experience in critical care, risk management, case management, patient advocacy, healthcare publications and training and development. Anne has been a leader in the area of Patient Advocacy since 2010. She was a Founding member of the Patient Advocate Certification Board and is currently serving on the National Association of Health Care Advocacy. Anne writes a weekly Blog, Nurse Advocate to share stories and events that will educate and empower people be better prepared when they enter the healthcare system.
More by This Author
- Jan 09, 2026
- Anne Llewellyn
- Dec 30, 2025
- Anne Llewellyn
Read More
- Jan 14, 2026
- Frank Ferreri
- Jan 13, 2026
- Chriss Swaney
- Jan 13, 2026
- Liz Carey
- Jan 13, 2026
- Frank Ferreri
- Jan 11, 2026
- Frank Ferreri
- Jan 10, 2026
- Frank Ferreri