Calling an emergency contact is not a HIPAA violation when a HIPAA Covered Entity or Business Associate limits the disclosure to what is permitted under the HIPAA Privacy Rule, uses professional judgment based on the patient’s circumstances, and shares only the protected health information needed for the specific purpose of notification or care coordination.
A regulated workforce member may contact an emergency contact to notify a family member, personal representative, or another person identified by the patient about the patient’s location, general condition, or death, when the communication fits within permitted uses and disclosures for notification purposes. A regulated workforce member may also communicate with a person involved in the patient’s care or payment for care when the disclosure relates to that involvement and aligns with the patient’s stated preferences or known instructions.
When the patient is present and has decision-making capacity, the HIPAA Privacy Rule permits the disclosure when the patient agrees, when the patient is given an opportunity to object and does not object, or when the circumstances support a reasonable inference that the patient does not object. When the patient is not present, is incapacitated, or an emergency prevents obtaining an agreement, the HIPAA Privacy Rule permits the disclosure when the workforce member determines, using professional judgment, that the disclosure is in the patient’s best interests.
A call can create HIPAA compliance risk when the caller discloses more information than is necessary for the purpose, discloses information to an incorrect person, or discloses information contrary to a patient restriction that the organization has agreed to honor. Examples include leaving a detailed voicemail that reveals diagnosis or treatment plans, discussing sensitive details with a person whose relationship to the patient is not confirmed, or continuing to share information after the patient has objected to involving that individual. Disclosures to emergency contacts also remain subject to internal role-based access controls and verification practices.
Operational controls that support compliant calls include confirming the emergency contact information in the designated record, verifying the recipient’s identity to a reasonable standard, limiting the content to location and general condition unless additional detail is permitted, and recording the disclosure in the medical record or the organization’s communication log when required by policy or when the situation involves an objection, a restriction, or a disagreement about authorization.