The HIPAA Privacy Rule generally permits hospitals and other healthcare facilities to maintain facility directories that provide certain basic information about patients within the facilities. The HIPAA Privacy Rule and facility directories is discussed below.
What are Facility Directories?
Under the HIPAA Privacy Rule, covered entities, including hospitals and other covered health care providers, may use the following protected health information (PHI) in facility directories:
- A patient’s name;
- A patient’s location in the covered entity’s facility;
- A patient’s condition described in general terms, that does not communicate specific information about the individual; and
- The individual’s religious affiliation.
Covered entities may disclose the appropriate directory information listed above – except for religious affiliation – to anyone who specifically asks for a patient by name. Religious affiliation may be disclosed to members of the clergy. For example, the HIPAA Privacy Rule and facility directories regulations allows a hospital to disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure.
What Rights Does the HIPAA Privacy Rule and Facility Directories Regulations Allow Patients?
The patient must be informed about the information to be included in the directory, and to whom the information may be released. In addition, patients must have the opportunity to restrict the information or to whom it is disclosed. Patients also have the right to opt out of being included in the directory.
The patient may be informed about the information to be included, to whom it may be released, and the right to restrict and to opt out. A patient may make his or her preferences about being included in the directory known, either orally or in writing.
Can Directory Information be Made Available During an Emergency?
Even when, due to emergency treatment circumstances or incapacity, the patient has not been provided an opportunity to express his or her preference about how, or if, the information may be disclosed, directory information about the patient may still be made available if doing so is in the individual’s best interest. Directory information about a patient may not be made available during an emergency, if making such information available is inconsistent with any known preference expressed by the patient.
In emergency scenarios, the covered entity, as soon as practicable, must inform the patient about the directory, and provide the patient an opportunity to express his or her preferences about how, or if, the directory information may be disclosed.