HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Disclosure of information

Email This Post Print This Post

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com and we will work with our experts to provide the information you need.

Q: I work in a medical records office and consider myself familiar with HIPAA rules and regulations. I recently tried to schedule an appointment for my fiancé at his dentist’s office, which I have done in the past. However, I was told on this occasion that I am not permitted to schedule the appointment because my fiancé did not authorize me to do so on HIPAA disclosure documents. I thought this was strange, so I requested that the office manager call me and I also requested a copy of the dental office’s notice of privacy practices (NPP). The practice refused to give me its NPP, and I have been waiting for more than a week for a return call. Does HIPAA dictate who can schedule a patient’s appointment? If so, should an NPP include this information? If this is part of a practice’s NPP, I wonder whether a breach occurred when I scheduled an appointment for my fiancé in the past.

A: There are a couple of issues here. First, the office should certainly provide you with a copy of its NPP. In fact, it is required to post it on its website if it has one, and at minimum on the wall at the practice.

HIPAA addresses disclosure of information. You can make an appointment for your fiancé without office staff needing to reveal any information about him to you and, therefore, this is acceptable under HIPAA. You are not bound by HIPAA as an individual and may share whatever information requested by the practice to make and confirm the appointment.

It may be that staff at the practice refused to make the appointment because they are confused or that they are concerned about no shows. However, there is no reason to refuse your request to make an appointment for your fiancé—unless, of course, he has requested this restriction.

Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.


  1. Joe D. Gillespie says:

    Remember that HIPAA provides a national, minimum level of patient protections which means that any provider can decide to set a higher level of protection for their patients. That being said, it does seem a bit extreme to not allow you to just schedule an appointment for your fiance. You’re not asking for his PHI to be shared with you. More than likely, the office staff (like many people) are not well-informed about HIPAA and assume it requires a “dome of silence” over any and all discussions apart from the patient. Simply NOT the case.

  2. Sandi Durand says:

    To follow up on this question, if a non-paitnet calls to make an appt, are we violating any HIPAA regulations by admitting that this person is actually a patient of our medical practice? For example, my practice works with many domestic violence situations and we have had an estranged spouse call to make an appt for their wife, when in fact what they were doing was confirming the location of the wife so they could come to harm her. I know this is a safety issue and we deal with it as such, but it is also a HIPAA Issue?

  3. Jaclyn Fitzgerald says:

    Thanks for the feedback, Sandi and Joe.

    Sandi, I’ll pass your question along to one of our HIPAA columnists and get back to you.

  4. Karen Levy says:

    Even if it’s not a HIPAA violation for you to be able to make appointments for another person, the covered entity is permitted to have HIPAA policies that disallow a third party to make appointments. And in Sandi’s example there is a good reason not to.

    The solution is simple: have your fiance authorize you to make appointments for him.

    It is a bit strange that they refuse to send you a NPP. Perhaps they’re interpreting HIPAA as providing the NPP only to patients of the covered entity. As Joe stated, they should have it posted on their website if they have one. Again, perhaps your fiance can request the NPP.

Leave a Reply