Healthcare professionals understand and appreciate the privacy protections of HIPAA: patient’s health information generally cannot be shared by covered entities without patient authorization except as necessary to provide care, make payment for care, and support operations. In other words, HIPAA defines a minimum-level of allowed information-sharing and additional information-sharing is at the discretion of the patient. Family, friends, and strangers have no automatic right to know patient information. This is good.
My concern is not with HIPAA, but with how it is implemented. Informed family and friends are essential to patient care and well-being, from the mundane activities such as encouraging medication compliance to providing essential support during acute episodes. Yet healthcare providers mostly make no attempt to pro-actively ask the patient who the patient wants to share information with and under what circumstances. Furthermore, even when a patient expresses that they want information-sharing with members of their support network, providers too often impose information-sharing roadblocks.
Lack of explicit consent is not necessarily an issue when a patient lives in a traditional family and those family members accompany the patient to physician appointments and sit by the patient’s side during hospital stays. HIPAA allows providers to infer authorization if the patient and the third-party are both present and the patient does not object to information-sharing. Furthermore, if the provider feels that information-sharing is reasonable based professional judgment, experience with common practice, and reasonable inferences about a patient’s best interests. Therefore, present and supportive members of the patient’s traditional family receive information without the necessity of written consent.
Providers are less likely to use their judgment to share information with family and friends of patients who have not been at their side during healthcare encounters. Likewise, they are not keen to share information with those not related by marriage or blood, such as family members in non-traditional families and friends. Yet patients with non-traditional support networks are in no less need of assistance from family and friends than the patients in traditional families.
Last time I personally went to the emergency room I was (appropriately) asked about my biological sex, gender-identity, and preferred pronouns. But although I was there for a visual disturbance that could have been indicative of a stroke or brain tumor and I was alone, I was only asked for the name of an emergency contact person. While designating someone an emergency contact does not entitle the designee to healthcare information, I was not asked what information could be shared with that person or whether I had granted anyone HIPAA authorization or wanted to grant HIPAA authorization then and there. This was OK in my situation as it was a relatively short path from my local emergency contact to my out-of-state, adult-children, and to a packet of healthcare documents that includes HIPAA authorizations, a durable healthcare power of attorney, and an end of life directive.
Many patients, however, including vulnerable people from my church who I have accompanied on healthcare encounters, live alone or in non-traditional families and do not have pre-prepared healthcare documents. While their families and friends are family and friends are essential in coordinating transitions of care, providing non-SNF post-acute care, reducing readmissions and readmissions, making decisions when the patient cannot make the decisions, and many good healthcare outcomes, communication with their support network is hit-or-miss.
Providers should explicitly ask the patients, preferably both on intake and during the course of longer treatments, who can receive what information under what circumstances. In general, HIPAA authorizations should be actively elicited, easy, and, when the patient wishes, comprehensive, durable, and portable. Furthermore, there should not be surprise roadblocks to implementing a patient’s wishes.
As of now, roadblocks abound. For example, my durable HIPAA authorization authorizes any current or future provider to release any information, including mental health and substance abuse information, to my children, providers have the right to put up roadblocks. For example, they can require that the authorization be on their own form, that my children’s identity be verified (tricky if the children are calling for information from another state), and invoke particular hurdles for information related to my mental health.
If I have full cognition, the roadblock should be temporary and without consequences. But if my cognition is impaired there may be significant consequences. For example, the kids may not have access to the information to implement my healthcare instructions. Surprisingly, my NJ-standard durable power of attorney for health care held by my children does not explicitly incorporate HIPAA authorization and apparently it should. One would think, incorrectly, that HIPAA authorization is imputed from a healthcare power of attorney when, in fact, physicians have discretions in deciding whether to impute the authorization. 
The healthcare system and the people within it, both providers and patients, can do a better job supporting appropriate health communication between patients and their support-network, including patients whose support network is not a traditional family.
 The NJ-standard Durable Power of Attorney for Health Care form neither grants HIPAA authorization nor instructs the user of the form to separately grant a HIPAA authorization: https://www.state.nj.us/health/advancedirective/ad/forums-faqs/
 These links discuss the ambiguity of imputed HIPAA authorization for holders of durable healthcare power of attorney: https://www.hhs.gov/hipaa/for-professionals/faq/3000/does-having-health-care-power-attorney-allow-access-patients-medical-mental-health-records-under-hipaa/index.html, https://info.legalzoom.com/durable-power-attorney-hipaa-21911.html