45 CFR 164.510 Explained: HIPAA Rules on Care Involvement, Facility Directories, and Disaster Relief

45 CFR 164.510 sets out when a covered health care provider may use or disclose protected health information (PHI) with a patient’s agreement, when the patient has an opportunity to object, and when you may rely on professional judgment. It governs facility directories, disclosures to family and friends, and information sharing during disasters.

This guide translates the rule into practical steps you can apply at the bedside, at registration, and in command centers—so you can communicate effectively while honoring patient privacy.

Facility Directory Use and Restrictions

If your organization maintains a facility directory, 45 CFR 164.510(a) lets you include limited details about an inpatient or resident, provided the individual is informed and given a chance to object or restrict. Only the following elements are permitted:

• Name.
• Location in the facility (for example, a room or unit).
• General condition stated in broad terms (such as “good,” “fair,” or “critical”).
• Religious affiliation (disclosed only to clergy).

Directory disclosures to the public are limited to those who ask for the individual by name, and never include religious affiliation. Members of the clergy may receive directory details, including religious affiliation, without asking for a specific name, consistent with pastoral care practices.

If an individual objects—or places limits—you must honor those preferences. A complete opt-out means you may not confirm the person’s presence in the facility. Be mindful that other laws may impose stricter limits for certain records; when in doubt, narrow the disclosure or consult privacy leadership.

Opportunity to Object to Directory Listings

Before placing information in the directory, inform the individual about what will appear and to whom it may be disclosed. Give a clear, practical opportunity to agree, object, or impose limits (for example, “list my name only,” or “do not share my location”). Oral permission is sufficient; document the decision in the record so staff can follow it consistently.

When the individual is not present or is incapacitated, you may use professional judgment to include directory information if doing so is in the person’s best interest and not contrary to any known preference. As soon as feasible, give the patient the chance to review, object, or refine those choices. A personal representative may exercise these rights where state law authorizes that role.

Disclosure to Family and Friends

Under 45 CFR 164.510(b), you may share PHI that is directly relevant to a family member’s, other relative’s, close personal friend’s, or any person identified by the individual’s involvement in care or payment. If the patient is present and has capacity, you can obtain oral permission, allow an opportunity to object, or reasonably infer agreement from the circumstances (for example, the patient invites a friend into the exam room).

Disclosures must stay limited to the minimum necessary—what is directly relevant: share what the caregiver needs to assist with medications, wound care, or follow-up, or what a payer needs to resolve a bill. You may also use or disclose PHI as needed for notification of family members or others responsible for the individual’s care, including to confirm location, general condition, or death.

If the patient cannot agree because of incapacity or an emergency, rely on professional judgment to determine what disclosure is in the patient’s best interest. A personal representative generally stands in the patient’s shoes for HIPAA purposes; however, you may reasonably decline to treat someone as a personal representative if doing so could endanger the patient (for example, in suspected abuse situations). Take reasonable steps to verify who is requesting information before sharing it.

Professional Judgment in Emergencies

Professional judgment is central to 45 CFR 164.510 when time is short or the patient lacks capacity. You may disclose PHI to a person involved in the patient’s care if, in your judgment, the disclosure is in the patient’s best interest and limited to what that person needs to know. The same principle applies to temporary inclusion in a facility directory when the patient cannot express a preference.

Use common-sense limits. For instance, give a spouse concise, actionable information about discharge instructions; avoid unnecessary clinical detail. Document the rationale for your decision, especially in complex or high-risk scenarios.

Disaster Relief Information Sharing

45 CFR 164.510(b) also permits disclosures to public or private entities authorized to assist in disaster relief efforts (for example, organizations chartered for emergency response). You may coordinate with these entities to notify or help notify family, friends, or others responsible for the individual’s care about the person’s location, general condition, or death.

When practicable, seek the patient’s agreement or give an opportunity to object. If that is not feasible due to the circumstances, you may rely on professional judgment. Align your approach with your incident command structure and any applicable emergency area declaration to ensure consistent, lawful information flows during response operations.

Limited Waiver of HIPAA Sanctions

During certain declared emergencies, HHS may issue a limited HIPAA Privacy Rule waiver of sanctions and penalties under section 1135 of the Social Security Act. This waiver applies only when there is both a Presidential emergency or disaster declaration and a public health emergency declared by the HHS Secretary, and only for covered hospitals in the designated emergency area and period that have instituted disaster protocol implementation.

When in effect, the waiver may suspend sanctions for failing to:

• Obtain a patient’s agreement to speak with family or friends involved in care.
• Honor a patient’s request to opt out of the facility directory.
• Distribute a notice of privacy practices.
• Honor a patient’s right to request privacy restrictions.
• Accommodate a patient’s request for confidential communications.

This relief is time-limited—generally up to 72 hours from the start of a hospital’s disaster protocol implementation—and it ends sooner if the underlying emergency declarations terminate. Even without a HIPAA Privacy Rule waiver, HIPAA already permits essential disclosures for treatment, certain public health activities, notifications to family, and coordination with disaster relief organizations.

Emergency Preparedness and Communication Requirements

Effective preparedness turns legal allowances into reliable practice. Build privacy-aware communication steps into your emergency operations plan so staff can act quickly and compliantly under 45 CFR 164.510.

• Embed directory prompts at registration to record a patient’s preferences, including any opt-out or limits, and make them visible in the EHR.
• Develop call scripts for notification of family members that keep statements to location and general condition unless more detail is directly relevant to care involvement.
• Define roles for who may speak with families, friends, clergy, and disaster relief organizations; provide just-in-time job aids for frontline teams.
• Establish quick identity verification steps (for example, callback to known numbers or request of shared passcodes) before disclosing PHI by phone.
• Train on professional judgment: disclose only what serves the patient’s best interest, and document decisions made when the patient cannot consent.
• Test disaster protocol implementation during drills; confirm that privacy safeguards, message templates, and escalation to privacy officers function under pressure.
• Coordinate with business associates and emergency partners so minimum necessary data exchanges are clear before an event.

Bottom line: 45 CFR 164.510 gives you practical flexibility to support care and loved ones while protecting privacy. Use directory controls, obtain or infer permission when appropriate, rely on professional judgment in emergencies, and follow defined disaster communication processes—supplemented by limited, time-bound waivers only when formally declared.

FAQs

What information can be included in a facility directory under 45 CFR 164.510?

You may list a patient’s name, location in the facility, and general condition in broad terms (such as “good” or “critical”) for those who ask for the patient by name. Religious affiliation may be included but disclosed only to clergy. All listings require informing the patient and offering an opportunity to object or limit what appears.

How does 45 CFR 164.510 address disclosures during emergencies?

The rule allows you to rely on professional judgment to disclose PHI in the patient’s best interest when the patient is not present or lacks capacity. You may also share information with disaster relief organizations to help notify family or others of the patient’s location, general condition, or death, seeking the patient’s agreement when feasible.

What are the conditions for waiving HIPAA sanctions under disaster protocols?

A limited HIPAA Privacy Rule waiver may apply only when both a Presidential emergency or disaster declaration and an HHS public health emergency are in effect. It is limited to covered hospitals in the declared emergency area that have activated disaster protocol implementation and generally lasts up to 72 hours from activation, or ends sooner if the declarations terminate.

How is professional judgment applied when the patient cannot consent?

Use professional judgment to decide what disclosure best serves the patient’s interests, keeping the information directly relevant and no broader than necessary. Examples include giving a caregiver essential instructions for medications or listing the patient in the directory when appropriate. Document what you shared and why, and revisit decisions once the patient can express preferences.