Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org  and we will work with our experts to provide the information you need.
Q: I recently overheard a telephone call between a coworker who is a nurse practitioner (NP) and a patient’s husband who was requesting details about the patient’s care. At first, the NP said she could not disclose any information because the husband was not listed as an authorized person on the HIPAA forms. However, she eventually relented and read several visit summaries to the patient’s husband. Is this a HIPAA violation? Am I obligated to report what I overheard?
A: HIPAA does not prohibit sharing information with family members and even friends who are involved in the care of a patient, assuming that the practitioner believes it is in the patient’s best interest to do so.
The information shared should be the minimum necessary to permit the family member or friend to provide needed care or to navigate payment issues. If possible, you should always confirm that the patient wants particular individuals involved. Because of the level of domestic violence and disruption in society, a provider should not assume that a spouse has automatic rights to information. However, if the provider knows the situation and believes sharing information is in the patient’s best interest, it is within his or her purview to do so.
Determining whether it was appropriate to disclose the visit summaries would depend on the situation and whether the patient was able to consent to giving them to her husband. If the patient was unable to consent, the provider needs to consider whether the husband is also a caregiver and needs the information to provide proper care.
As for reporting this type of situation, all staff should raise issues they witness. While the patient’s information may have been properly shared in this instance, bringing the matter to the attention of your privacy officer will allow for a more in-depth investigation and corrective actions/education that may be needed.
Editor’s note: Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing.  This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions.