What Information Can Hospitals Give Over the Phone?
What information hospitals can give over the phone depends on the purpose of the phone call, the recipient of the information, and any restrictions or authorizations in force at the time. The phone system being used can also impact what information hospitals can give over the phone.
The most common reasons for asking the question what information can hospitals give over the phone are:
- Healthcare providers want to make sure they comply with HIPAA,
- Patients want to know if their privacy rights have been violated, or
- Families want the maximum information possible about a loved one.
Unfortunately, there is no A, B, and C answer to the question what information can hospitals give over the phone because patients have the right to restrict some or all disclosures and restrict who information is shared with. Additionally, patients have the right to authorize disclosures beyond those permitted by the Privacy Rule to individuals who enquire about the patient’s health.
Therefore, although §164.510 of the Privacy Rule permits hospitals to disclose directory information to individuals who enquire about a patient by name, there are many scenarios in which a request for information could be denied (including because a healthcare provider believes the disclosure is not in the patient’s best interest) or in which it is possible to disclose more than directory information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What is Directory Information?
Directory information – in the context of what information can hospitals give over the phone – consists of the name of the patient, the location of the patient in the healthcare facility, the patient’s religious affiliation, and the patient’s condition described in general terms that does not communicate specific medical information about the individual.
Hospitals cannot provide any information over the phone about a patient’s past medical history if it is unrelated to the current medical condition, but can discuss treatment plans, drugs, and therapies with a caregiver over the phone provided the identity of the caregiver is verified. Note: some hospitals may require identity verification for any individual enquiring about a patient’s condition even though this is not required by HIPAA.
The Right to Restrict or Authorize Information
The right to restrict what information hospitals can give over the phone not only appears in §164.510 of the Privacy Rule. §164.522 gives patients the right to request privacy protections for PHI; and, although hospitals do not have to agree to most requests, the failure to agree to justifiable requests for privacy protections could result in a complaint to HHS’ Office for Civil Rights.
With regards to patient authorizations, in most cases authorizations are initiated by a covered entity to facilitate a use or disclosure of PHI not permitted by the Privacy Rule. However, there is nothing in the Privacy Rule that prevents a patient authorizing the disclosure of PHI to friends or family members over the phone – although hospitals need to be conscious of the fact that a patient also has the right to revoke an authorization at any time.
What Information Can Hospitals Give Over the Phone for TPO Purposes?
Hospitals can make disclosures of PHI over the phone for treatment, payment, and healthcare operations (TPO). However, how much PHI can be disclosed in a phone call depends on the purpose of the phone call. For example, there are no limitations on what information can be provided to a healthcare provider for the treatment of a patient; but, if the phone call is to a health plan to request authorization for the treatment, the minimum necessary standard applies.
It is also the case that restrictions and authorizations can apply to what information hospitals can give over the phone for TPO purposes. For example, a healthcare provider cannot refuse a request from a patient to restrict PHI disclosures to a health plan if the disclosures relate to a healthcare service the patient (or somebody on behalf of the patient) has paid for privately.
Why the Phone System being Used Might also Matter
Phone calls made by hospitals are either made over a Public Switched Telephone Network (PSTN) or over a Voice over Internet Protocol (VoIP) system. If using a VoIP system, it is necessary for a Business Associate Agreement to be in place with the software vendor before PHI is disclosed in a phone call. The same requirement does not apply to PSTN phone services.
If a hospital has deployed a VoIP system, and a Business Associate Agreement is not in place with the vendor of a VoIP system, the hospital is not allowed to disclose PHI over the phone. Note: some healthcare telephone communications are possible with patients under the FCC’s TCPA Omnibus Declaratory Ruling and Order unless a patient has rescinded their consent to be contacted by phone.
Conclusion: Why it is Important to Know What Information Hospitals Can Give over the Phone
The reasons it is important to know what information hospital can give over the phone are the same as the reasons for asking the question what information can hospitals give over the phone:
- Healthcare providers want to make sure they comply with HIPAA,
- Patients want to know if their privacy rights have been violated, and
- Families want the maximum information possible about a loved one.
The failure to comply with HIPAA, a violation of a patient’s privacy rights, or refusing to give families information that a patient has authorized can result in complaints to HHS’ Office for Civil Rights and a potential compliance investigation. To mitigate the risk of an investigation and the disruption this will cause, hospitals should develop policies and procedures for giving information over the phone.
